GitHub_MCVELIST:CVE-2024-31985CVE-2024-31985 XWiki Platform CSRF in the job scheduler
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%
XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, manually apply the patch by modifying the Scheduler.WebHome page.
CNA Affected
[
{
"vendor": "xwiki",
"product": "xwiki-platform",
"versions": [
{
"version": ">= 3.1, < 14.10.19",
"status": "affected"
},
{
"version": ">= 15.0-rc-1, < 15.5.4",
"status": "affected"
},
{
"version": ">= 15.6-rc-1, < 15.9",
"status": "affected"
}
]
}
]References
github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2r6-r929-v6gf
jira.xwiki.org/browse/XWIKI-20851
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.4%