CVE-2024-31997

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 4.10.19 XWiki Platform versions prior to 15.5.4 XWiki Platform versions prior to 15.10-rc-1

Description XWiki Platform is a generic wiki platform where parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document, like the user's own profile, can create UI extensions, allowing remote code execution and impacting the confidentiality, integrity, and availability of the whole XWiki installation.

Recommendations For versions prior to 4.10.19, update to version 4.10.19 or later. For versions prior to 15.5.4, update to version 15.5.4 or later. For versions prior to 15.10-rc-1, update to version 15.10-rc-1 or later. As a temporary workaround, consider restricting the creation of UI extensions to only trusted users until a patch is applied. Avoid using the label parameter in UI extensions to minimize the risk of exploitation.