10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-31982

GHSA ID

GHSA-2858-8cfx-69m9

EPSS Score

0.99902%

CWE

CWE-94

Published

4/10/2024

Updated

1/21/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-31982

CVE-2024-31982:
XWiki Platform: Remote code execution as guest via DatabaseSearch

Impact

XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on an instance, without being logged in, go to <hostname>/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20. If the title of the RSS channel contains Hello from search text:42, the instance is vulnerable.

Patches

This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1.

Workarounds

It is possible to manually apply this patch to the page Main.DatabaseSearch. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.

References

https://jira.xwiki.org/browse/XWIKI-21472
https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-31982

GHSA ID

GHSA-2858-8cfx-69m9

EPSS Score

0.99902%

CWE

CWE-94

Published

4/10/2024

Updated

1/21/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 2.4-milestone-1, < 14.10.20	14.10.20
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 15.0-rc-1, < 15.5.4	15.5.4
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 15.6-rc-1, < 15.10-rc-1	15.10-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The key vulnerability stemmed from how the DatabaseSearch template handled RSS feed generation. The pre-patch version used unsafe triple-brace syntax to render feed output, which doesn't escape content and allows XWiki syntax interpretation. Attackers could inject closing template tags followed by Groovy code, which would be executed during rendering. The patch replaced this with direct response writing, bypassing template processing. The vulnerable pattern is clearly shown in the diff where {{$xwiki.feed.getFeedOutput(...)}} was removed and replaced with safe output handling methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t XWiki's **t***s* s**r** *llows r*mot* *o** *x**ution t*rou** t** s**r** t*xt. T*is *llows r*mot* *o** *x**ution *or *ny visitor o* * pu*li* wiki or us*r o* * *los** wiki *s t** **t***s* s**r** is *y ****ult ****ssi*l* *or *ll us*rs. T*is i

Reasoning

T** k*y vuln*r**ility st*mm** *rom *ow t** `**t***s*S**r**` t*mpl*t* **n*l** RSS **** **n*r*tion. T** pr*-p*t** v*rsion us** uns*** tripl*-*r*** synt*x to r*n**r **** output, w*i** *o*sn't *s**p* *ont*nt *n* *llows `XWiki` synt*x int*rpr*t*tion. *tt*

10

Basic Information

Concerned about an active attack path?

CVE-2024-31982: XWiki Platform: Remote code execution as guest via DatabaseSearch

Impact

Patches

Workarounds

References

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-31982:
XWiki Platform: Remote code execution as guest via DatabaseSearch

Vulnerability Intelligence
Miggo AI