CRITICAL🇵🇱 Wersja polska

CVE-2024-31982

CVSS 10.0v3.1pub. 2024-04-10upd. 2025-09-25

XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.

🤖 AI Analysis
How it works

The database search mechanism (the `Main.DatabaseSearch` page) does not safely validate user-supplied input data, which corresponds to vulnerabilities of the CWE-94 class (code injection) and CWE-95 (eval of unsafe expressions). An attacker can place a payload containing malicious code in the search field, which will be interpreted and executed by the platform engine. By default, the database search page is accessible to all users, which means that in the case of a public wiki, any unauthenticated visitor can carry out the exploit.

Impact

An attacker gains the ability to execute arbitrary code on the server side (RCE), which leads to complete takeover of the XWiki installation — violation of confidentiality, integrity and availability of all data and services.

Mitigation & patch

XWiki Platform should be updated to version 14.10.20, 15.5.4 or 15.10RC1, in which the vulnerability has been patched. As a workaround, you can manually apply a patch on the `Main.DatabaseSearch` page or — if database search is not actively used — remove this page, as it is not the default XWiki search interface.

Who is affected

XWiki Platform in versions from 2.4-milestone-1 to (excluding) 14.10.20, 15.5.4 and 15.10-rc-1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Xwiki

    APP
    Xwiki
    2.4 – 14.10.20 (bez)15.0 – 15.5.4 (bez)15.6 – 15.10 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam produkt

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt

XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych

CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)

CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt

SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm

CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt

XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra