CVE-2024-31996

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.0.1 through 4.10.18 XWiki Platform versions 15.5.4 and earlier XWiki Platform versions prior to 15.10-rc-1

Description The HTML escaping tool used in XWiki does not escape {, which can allow XWiki syntax injection and remote code execution when used in certain places. This issue can be exploited by a remote attacker. The vulnerability is related to the Panels.PanelLayoutUpdate document in a standard XWiki installation. Any extension could also expose this vulnerability.

Recommendations For XWiki Platform versions 3.0.1 through 4.10.18, upgrade to version 4.10.19 or later. For XWiki Platform versions 15.5.4 and earlier, upgrade to version 15.5.5 or later. For XWiki Platform versions prior to 15.10-rc-1, upgrade to version 15.10-rc-1 or later. As a temporary workaround, consider replacing $escapetool.html by $escapetool.xml in XWiki documents. Patching the Panels.PanelLayoutUpdate document can also serve as a workaround.