CVE-2024-31986

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.1 through 4.10.18 XWiki Platform versions 14.10.18 and earlier XWiki Platform versions 15.5.4 and earlier XWiki Platform version 15.10-rc-1 and earlier

Description The issue allows execution of arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced. This can be achieved by creating a document with a special crafted documented reference and an XWiki.SchedulerJobClass XObject.

Recommendations For XWiki Platform versions 3.1 through 4.10.18, update to version 4.10.19 or later. For XWiki Platform versions 14.10.18 and earlier, update to version 14.10.19 or later. For XWiki Platform versions 15.5.4 and earlier, update to version 15.5.5 or later. For XWiki Platform version 15.10-rc-1 and earlier, update to version 15.9 or later. As a temporary workaround, modify the Scheduler.WebHome page by applying the patch manually.