CVE-2024-31983

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-31983
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31983.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-31983
Aliases
Published
2024-04-10T19:44:48.503Z
Modified
2026-04-10T05:12:34.273301Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Platform: Remote code execution from edit in multilingual wikis via translations
Details

XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on the wiki). Starting in version 4.3-milestone-2 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, this can be exploited for remote code execution if the translation value is not properly escaped where it is used. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may restrict edit rights on documents that contain translations.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31983.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
7e8a6514d4e46260ad30551d0197db9ecbe581ab
Fixed
2f1129b6da6811479225ab79caf2571452d72402
Database specific 
{
    "versions": [
        {
            "introduced": "4.3-milestone-2"
        },
        {
            "fixed": "14.10.20"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
d823334f762d5ad86bea378b65af0b230668d401
Fixed
0e37972524b5a68c44734112f38a48e746b0909e
Database specific 
{
    "versions": [
        {
            "introduced": "15.0-rc-1"
        },
        {
            "fixed": "15.5.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
201a8cdfdaad44618c79c6dd0c0bb855b446aafb
Fixed
2251e39df282f2a8b2b3581063eb75a8f30d5f30
Database specific 
{
    "versions": [
        {
            "introduced": "15.6-rc-1"
        },
        {
            "fixed": "15.10-rc-1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31983.json"