CVE-2024-31985
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-31985
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31985.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-31985
- Aliases
- Published
- 2024-04-10T20:11:53.091Z
- Modified
- 2025-11-29T18:35:06.229623Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- XWiki Platform CSRF in the job scheduler
- Details
-
XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, manually apply the patch by modifying the
Scheduler.WebHomepage. - Database specific
{ "cwe_ids": [ "CWE-352" ] }- References
-
- https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
- https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
- https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
- https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2r6-r929-v6gf
- https://jira.xwiki.org/browse/XWIKI-20851
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121378514480918854916168266058246033566",
"200525902641438542534972148193428897770",
"185478702196393369682215718148634048340",
"33822468072397001711675659228385163512",
"165914234478105040263359577784519239113",
"160493883172480499829469175096185246806",
"257095334189023559688806329180752486328",
"323790012675282877244684223203130316944",
"210077849249706137297839360767059304759",
"66062187643554447548786855383546340143"
]
},
"id": "CVE-2024-31985-1d303275",
"signature_type": "Line",
"source": "https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121378514480918854916168266058246033566",
"200525902641438542534972148193428897770",
"185478702196393369682215718148634048340",
"33822468072397001711675659228385163512",
"165914234478105040263359577784519239113",
"160493883172480499829469175096185246806",
"257095334189023559688806329180752486328",
"323790012675282877244684223203130316944",
"210077849249706137297839360767059304759",
"66062187643554447548786855383546340143"
]
},
"id": "CVE-2024-31985-38a0fb89",
"signature_type": "Line",
"source": "https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121378514480918854916168266058246033566",
"200525902641438542534972148193428897770",
"185478702196393369682215718148634048340",
"33822468072397001711675659228385163512",
"165914234478105040263359577784519239113",
"160493883172480499829469175096185246806",
"257095334189023559688806329180752486328",
"323790012675282877244684223203130316944",
"210077849249706137297839360767059304759",
"66062187643554447548786855383546340143"
]
},
"id": "CVE-2024-31985-798c259a",
"signature_type": "Line",
"source": "https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "239516309326033634555325291864226371297",
"length": 1712.0
},
"id": "CVE-2024-31985-89e5dae0",
"signature_type": "Function",
"source": "https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java",
"function": "verifyScheduler"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "239516309326033634555325291864226371297",
"length": 1712.0
},
"id": "CVE-2024-31985-b0d52050",
"signature_type": "Function",
"source": "https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java",
"function": "verifyScheduler"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"121378514480918854916168266058246033566",
"200525902641438542534972148193428897770",
"185478702196393369682215718148634048340",
"33822468072397001711675659228385163512",
"165914234478105040263359577784519239113",
"160493883172480499829469175096185246806",
"257095334189023559688806329180752486328",
"323790012675282877244684223203130316944",
"210077849249706137297839360767059304759",
"66062187643554447548786855383546340143"
]
},
"id": "CVE-2024-31985-bd9765e2",
"signature_type": "Line",
"source": "https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "239516309326033634555325291864226371297",
"length": 1712.0
},
"id": "CVE-2024-31985-e0f63b75",
"signature_type": "Function",
"source": "https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java",
"function": "verifyScheduler"
}
},
{
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "239516309326033634555325291864226371297",
"length": 1712.0
},
"id": "CVE-2024-31985-e979075f",
"signature_type": "Function",
"source": "https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf",
"target": {
"file": "xwiki-platform-core/xwiki-platform-scheduler/xwiki-platform-scheduler-test/xwiki-platform-scheduler-test-docker/src/test/it/org/xwiki/scheduler/test/ui/SchedulerIT.java",
"function": "verifyScheduler"
}
}
]