CVE-2024-31996

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-31996
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31996.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-31996
Aliases
Published
2024-04-10T20:46:19.929Z
Modified
2026-02-05T21:45:26.415389Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
Details

XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape {, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing $escapetool.html by $escapetool.xml in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document Panels.PanelLayoutUpdate that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.

Database specific 
{
    "cwe_ids": [
        "CWE-95"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31996.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-commons
Events
Introduced
722146367f589d701b0c0e26d9df6cf0ac07b55a
Fixed
4810ba1812450ef533c882c5abff598676b1be18
Introduced
fdba4ca1398766e912f7888af5bdefbeef60d8b0
Fixed
5596ee59ff8035c3141aaeddc6e66f119c30574a
Introduced
1e0e26611ad39442be884e876d902441a51fd34a
Fixed
943b4a6a0a0e2b9b94f6f184e823f82b262ea8d3
Fixed
b0805160ec7b01ee12417e79cb384e60ae4817aa
Fixed
b94142e2a66ec32e89eacab67c3da8d91f5ef93a
Fixed
ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915

Database specific

vanir_signatures 
[
    {
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a",
        "id": "CVE-2024-31996-022fc187",
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-velocity/src/main/java/org/xwiki/velocity/tools/EscapeTool.java"
        },
        "digest": {
            "line_hashes": [
                "14794386082048038712995288442354036883",
                "170877961568052391640286929605381723229",
                "105298785963277106450062124703652539126",
                "276877236237325934081055004859834076989",
                "32728517852872531029786471332956921682",
                "264871882873055860448079786725953733484",
                "75327758018379622386255647218165851192",
                "170485130979804215484581918263514001914",
                "60056139245300251128086705617514906854",
                "130804967786329709520038656179401127341"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915",
        "id": "CVE-2024-31996-074ed9a3",
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-velocity/src/main/java/org/xwiki/velocity/tools/EscapeTool.java"
        },
        "digest": {
            "line_hashes": [
                "14794386082048038712995288442354036883",
                "170877961568052391640286929605381723229",
                "105298785963277106450062124703652539126",
                "276877236237325934081055004859834076989",
                "32728517852872531029786471332956921682",
                "264871882873055860448079786725953733484",
                "75327758018379622386255647218165851192",
                "170485130979804215484581918263514001914",
                "60056139245300251128086705617514906854",
                "130804967786329709520038656179401127341"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a",
        "id": "CVE-2024-31996-5547c722",
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-velocity/src/test/java/org/xwiki/velocity/tools/EscapeToolTest.java"
        },
        "digest": {
            "line_hashes": [
                "49255652595866520418733874550655267893",
                "277729335052964325839688141344852514638"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa",
        "id": "CVE-2024-31996-7cec3b68",
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-velocity/src/main/java/org/xwiki/velocity/tools/EscapeTool.java"
        },
        "digest": {
            "line_hashes": [
                "14794386082048038712995288442354036883",
                "170877961568052391640286929605381723229",
                "105298785963277106450062124703652539126",
                "276877236237325934081055004859834076989",
                "32728517852872531029786471332956921682",
                "264871882873055860448079786725953733484",
                "75327758018379622386255647218165851192",
                "170485130979804215484581918263514001914",
                "60056139245300251128086705617514906854",
                "130804967786329709520038656179401127341"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa",
        "id": "CVE-2024-31996-9a96e2da",
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-velocity/src/test/java/org/xwiki/velocity/tools/EscapeToolTest.java"
        },
        "digest": {
            "line_hashes": [
                "49255652595866520418733874550655267893",
                "277729335052964325839688141344852514638"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    },
    {
        "deprecated": false,
        "source": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915",
        "id": "CVE-2024-31996-b6f7f411",
        "target": {
            "file": "xwiki-commons-core/xwiki-commons-velocity/src/test/java/org/xwiki/velocity/tools/EscapeToolTest.java"
        },
        "digest": {
            "line_hashes": [
                "49255652595866520418733874550655267893",
                "277729335052964325839688141344852514638"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31996.json"

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
96b4a230ee41ef74268c9720722f6473c705583d
Fixed
0e37972524b5a68c44734112f38a48e746b0909e
Introduced
cb249a1a7570161ad6672449fbe89485fb489e95
Fixed
7a8f9b1236bc9271b607fb92e700377e37f67cf2
Introduced
804f16c0efbf6ba3d08c7ad780b81b7203741d8c
Fixed
9d9df1a75094bc677015c7f8321a7e2081662aae

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-31996.json"