XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 25 Sep 2025 17:30:00 +0000


Thu, 13 Feb 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki xwiki-platform
CPEs cpe:2.3:a:xwiki:xwiki-platform:*:*:*:*:*:*:*:*
Vendors & Products Xwiki xwiki-platform
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 21 Jan 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki
Xwiki xwiki
Weaknesses CWE-94
CPEs cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Vendors & Products Xwiki
Xwiki xwiki

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-09-25T16:39:01.533Z

Reserved: 2024-04-08T13:48:37.490Z

Link: CVE-2024-31982

cve-icon Vulnrichment

Updated: 2025-09-25T16:39:01.533Z

cve-icon NVD

Status : Modified

Published: 2024-04-10T20:15:08.463

Modified: 2025-09-25T17:15:36.963

Link: CVE-2024-31982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.