CVE-2024-31986: XWiki Platform CSRF remote code execution through scheduler job's document reference
By creating a document with a special crafted documented reference and an XWiki.SchedulerJobClass XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki.
References
- github.com/advisories/GHSA-37m4-hqxv-w26g
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
- github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
- github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g
- jira.xwiki.org/browse/XWIKI-21416
- nvd.nist.gov/vuln/detail/CVE-2024-31986
Code Behaviors & Features
Detect and mitigate CVE-2024-31986 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →