CVE-2024-31987

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 6.4-milestone-1 through 4.10.18 XWiki Platform versions prior to 15.5.4 XWiki Platform versions prior to 15.10-rc-1

Description The XWiki Platform is affected by a remote code execution issue. This issue arises from the ability of any user who can edit a page to create a custom skin with a template override that executes with programming rights. Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.

Recommendations For XWiki Platform versions 6.4-milestone-1 through 4.10.18, upgrade to version 4.10.19 or later. For XWiki Platform versions prior to 15.5.4, upgrade to version 15.5.4 or later. For XWiki Platform versions prior to 15.10-rc-1, upgrade to version 15.10-rc-1 or later. As a temporary workaround, consider restricting the ability to edit pages and create custom skins until a patch is applied.