CVE-2024-31985

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.1 through 4.10.19 XWiki Platform versions 14.10.18 and earlier XWiki Platform versions 15.5.4 and earlier XWiki Platform version 15.10-rc-1 and earlier

Description The issue allows an attacker to schedule, trigger, or unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL. This can be achieved by embedding such a URL in any content as an image. The vulnerability can be exploited by visiting a specific API endpoint, for example, <xwiki-host>:/xwiki/bin/view/Scheduler/?do=trigger&which=Scheduler.NotificationEmailDailySender, as a user with admin rights. If there is no error message indicating the CSRF token is invalid, the installation is vulnerable.

Recommendations For XWiki Platform versions 3.1 through 4.10.19, update to version 4.10.20 or later. For XWiki Platform versions 14.10.18 and earlier, update to version 14.10.19 or later. For XWiki Platform versions 15.5.4 and earlier, update to version 15.5.5 or later. For XWiki Platform version 15.10-rc-1 and earlier, update to version 15.9 or later. As a temporary workaround, manually apply the patch by modifying the Scheduler.WebHome page.