Login Sign Up

CVE-2024-31465

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows any user with edit rights on any XWiki page to execute arbitrary code on the server by adding a malicious XWiki.SearchSuggestSourceClass object to their profile or other pages. This results in complete server compromise affecting confidentiality, integrity, and availability. All XWiki installations from version 5.0-rc-1 up to (but not including) 14.10.20, 15.5.4, and 15.9-rc-1 are affected.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: 5.0-rc-1 to 14.10.19, 15.0 to 15.5.3, 15.6 to 15.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any XWiki installation with at least one user having edit rights on any page is vulnerable. The vulnerability is in the core platform and affects all deployments.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server takeover with administrative access, data exfiltration, installation of persistent backdoors, and potential lateral movement to other systems.

🟠

Likely Case

Attackers gain full control of the XWiki instance, modify or delete content, steal sensitive information, and use the server for further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access controls, and monitoring are in place, though server compromise still occurs.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires only edit rights on any page, which is common for regular users. The vulnerability is straightforward to exploit once the technique is understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.10.20, 15.5.4, 15.10-rc-1 or later

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-34fj-r5gq-7395

Restart Required: Yes

Instructions:

1. Backup your XWiki installation and database. 2. Upgrade to XWiki 14.10.20, 15.5.4, or 15.10-rc-1 or later. 3. Restart the XWiki application server. 4. Verify the patch is applied by checking the XWiki.SearchSuggestSourceSheet document.

🔧 Temporary Workarounds

Manual patch application

all

Apply the security patch directly to the vulnerable XWiki.SearchSuggestSourceSheet document as shown in the GitHub commits.

🧯 If You Can't Patch

  • Immediately restrict edit rights to trusted administrators only. Remove edit rights from all regular users.
  • Implement network segmentation to isolate the XWiki server and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check your XWiki version. If it's between 5.0-rc-1 and 14.10.19, or between 15.0 and 15.5.3, or between 15.6 and 15.8, you are vulnerable.

Check Version:

Check the XWiki administration interface or view the xwiki.properties file for version information.

Verify Fix Applied:

After patching, verify the XWiki.SearchSuggestSourceSheet document has been updated with the security fixes from the GitHub commits.

📡 Detection & Monitoring

Log Indicators:

  • Unusual modifications to XWiki.SearchSuggestSourceClass objects
  • Suspicious code execution patterns in application logs
  • Unexpected creation of objects with XWiki.SearchSuggestSourceClass type

Network Indicators:

  • Unusual outbound connections from the XWiki server
  • Suspicious incoming requests attempting to exploit the vulnerability

SIEM Query:

Search for events where XWiki.SearchSuggestSourceClass objects are created or modified by non-administrative users.

📊 Metadata

CVE ID: CVE-2024-31465
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-95
Published: April 10, 2024
Last Updated: January 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31465, you might also want to check these:

CVE-2025-68271 10.0

OpenC3 COSMOS versions 5.0.0 through 6.10.1 contain a critical remote code execution vulnerability i...

Same vulnerability type (CWE-95)
CVE-2025-55727 10.0

CVE-2025-55727 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-95)
CVE-2025-54322 10.0

CVE-2025-54322 is an unauthenticated remote code execution vulnerability in Xspeeder SXZOS that allo...

Same vulnerability type (CWE-95)