10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-31987

CVE-2024-31987: XWiki Platform remote code execution from account via custom skins support

Impact

Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.

To reproduce, as a user without edit, script or admin right, add an object of class XWiki.XWikiSkins to your profile. Name it whatever you want and set the Base Skin to flamingo. Add an object of class XWikiSkinFileOverrideClass and set the path to macros.vm and the content to:

#macro(mediumUserAvatar $username)
  #resizedUserAvatar($username 50)
  $services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')")
#end

Back to your profile, click Test this skin. Force a refresh, just in case. If the error "Skin - I got programming: true" gets logged, the installation is vulnerable.

Patches

This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1.

Workarounds

We're not aware of any workaround except upgrading.

References

https://jira.xwiki.org/browse/XWIKI-21478
https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39 (>= 15.8 RC1)
https://github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56 (< 15.8 RC1)

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-31987

CVE-2024-31987:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 6.4-milestone-1, < 14.10.19	14.10.19
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 15.0-rc-1, < 15.5.4	15.5.4
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 15.6-rc-1, < 15.10-rc-1	15.10-rc-1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing authorization checks when injecting Velocity macros from custom skin templates. The patch in commit 3d4dbb4 explicitly added a check for Script rights via authorizationManager.hasAccess(Right.SCRIPT, ...) in the injectBaseMacros method. Prior to this fix, the function blindly trusted template content regardless of the author's privileges, enabling privilege escalation. The test cases added in the commit also validate this behavior by checking macro injection only occurs with proper rights.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-31987: XWiki Platform remote code execution from account via custom skins support

Impact

Patches

Workarounds

References

CVE-2024-31987:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

10

10

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2024-31987: XWiki Platform remote code execution from account via custom skins support

Impact

Patches

Workarounds

References

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI