CRITICAL🇵🇱 Wersja polska

CVE-2024-31996

CVSS 10.0v3.1pub. 2024-04-10upd. 2025-01-09

XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.

🤖 AI Analysis
How it works

The HTML escaping tool (`$escapetool.html`) used on the XWiki Platform does not sanitize the `{` character. In specific locations within XWiki documents, an attacker can inject XWiki syntax through this vulnerability, which will be processed by the wiki engine. This results in arbitrary server-side code execution without requiring an account or interaction from other users. In a standard XWiki installation, at least the `Panels.PanelLayoutUpdate` document is vulnerable, but any extension using `$escapetool.html` may be equally at risk.

Impact

An unauthenticated attacker can execute arbitrary code on the server (RCE), gaining full control over the XWiki instance, its data, and potentially the infrastructure on which it runs.

Mitigation & patch

XWiki should be updated to version 14.10.19, 15.5.5, or 15.9 RC1. If an update is not immediately possible, a workaround can be applied by replacing `$escapetool.html` with `$escapetool.xml` in XWiki documents — particularly in the `Panels.PanelLayoutUpdate` document. All installed extensions using `$escapetool.html` should also be reviewed and patched.

Who is affected

XWiki Platform in versions from 3.0.1 to (excluding) 14.10.19, 15.5.4, and 15.10-rc-1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Xwiki

    APP
    Xwiki
    3.0.1 – 14.10.19 (bez)15.0 – 15.5.4 (bez)15.6 – 15.9 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam produkt

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt

XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych

CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)

CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt

SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm

CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt

XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra