Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-31985

MEDIUM
Published 2024-04-10T20:11:53.091Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-31985. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
5.4
/10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.003
probability
of exploitation in the wild

There is a 0.3% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.558
Higher than 55.8% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED

Impact Metrics

Confidentiality
NONE
Integrity
LOW
Availability
LOW

Description

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, manually apply the patch by modifying the `Scheduler.WebHome` page.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

xwiki

xwiki-platform

Affected Versions:

>= 3.1, < 14.10.19 >= 15.0-rc-1, < 15.5.4 >= 15.6-rc-1, < 15.9

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

XWiki Platform CSRF in the job scheduler

GHSA-j2r6-r929-v6gf

Advisory Details

### Impact It is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. To reproduce in an XWiki installation, open `<xwiki-host>:/xwiki/bin/view/Scheduler/?do=trigger&which=Scheduler.NotificationEmailDailySender` as a user with admin rights. If there is no error message that indicates the CSRF token is invalid, the installation is vulnerable. ### Patches The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9. ### Workarounds Modify the Scheduler.WebHome page following this [patch](https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c#diff-1e2995eacccbbbdcc4987ff64f46ac74837d166cf9e92920b4a4f8af0f10bd47). ### References - https://jira.xwiki.org/browse/XWIKI-20851 - https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c

Affected Packages

Maven org.xwiki.platform:xwiki-platform-scheduler-ui
ECOSYSTEM: ≥3.1 <14.10.19
Maven org.xwiki.platform:xwiki-platform-scheduler-ui
ECOSYSTEM: ≥15.0-rc-1 <15.5.4
Maven org.xwiki.platform:xwiki-platform-scheduler-ui
ECOSYSTEM: ≥15.6-rc-1 <15.9

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

References

WEB https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2r6-r929-v6gf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-31985
WEB https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
WEB https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
WEB https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
WEB https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
PACKAGE https://github.com/xwiki/xwiki-platform
WEB https://jira.xwiki.org/browse/XWIKI-20851

Advisory provided by GitHub Security Advisory Database. Published: April 10, 2024, Modified: April 10, 2024

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2r6-r929-v6gf
https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
https://jira.xwiki.org/browse/XWIKI-20851
Published: 2024-04-10T20:11:53.091Z
Last Modified: 2024-08-02T01:59:50.770Z
Copied to clipboard!