CVE-2024-31988

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 13.9-rc-1 through 4.10.18 XWiki Platform versions 13.9-rc-1 through 15.5.3 XWiki Platform versions 13.9-rc-1 through 15.10-rc-1

Description The XWiki Platform is a generic wiki platform that allows arbitrary remote code execution with the interaction of an admin user with programming right when the realtime editor is installed. This is achieved by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, allowing the attacker to execute arbitrary XWiki syntax including scripting macros with Groovy or Python code. This compromises the confidentiality, integrity, and availability of the whole XWiki installation.

To test for the vulnerability, an admin can click on the "/xwiki/bin/get/RTFrontend/ConvertHTML?wiki=xwiki&space=Main&page=WebHome&text=%7B%7Bvelocity%7D%7D%24logtool.error%28%22Hello%20from%20Velocity%20%21%22%29%7B%7B%2Fvelocity%7D%7D" API endpoint. If the error "Hello from Velocity!" gets logged, then the installation is vulnerable.

Recommendations For XWiki Platform versions 13.9-rc-1 through 4.10.18, update to version 4.10.19 or later. For XWiki Platform versions 13.9-rc-1 through 15.5.3, update to version 15.5.4 or later. For XWiki Platform versions 13.9-rc-1 through 15.10-rc-1, update to version 15.10 or later. As a temporary workaround, one may update RTFrontend.ConvertHTML manually with the patch, but this will break some synchronization processes in the realtime editor.