Login Sign Up

CVE-2024-31981

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote code execution in XWiki Platform via PDF export templates. Attackers can execute arbitrary code on affected XWiki instances by exploiting template injection. All XWiki installations using versions 3.0.1 through 14.10.19, 15.0 through 15.5.3, or 15.6 through 15.9 are vulnerable.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: 3.0.1 through 14.10.19, 15.0 through 15.5.3, 15.6 through 15.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in PDF export functionality; systems not using PDF templates may still be vulnerable if the feature is enabled.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, privilege escalation, or deployment of ransomware/cryptominers.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, potentially containing the breach to the XWiki server.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The advisory suggests remote exploitation is possible, and the CVSS score of 9.9 indicates low attack complexity with high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.10.20, 15.5.4, 15.10-rc-1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vxwr-wpjv-qjq7

Restart Required: Yes

Instructions:

1. Backup your XWiki instance. 2. Download and install patched version (14.10.20, 15.5.4, or 15.10-rc-1). 3. Restart the XWiki service. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Block PDFClass editing

all

Create XWiki.PDFClass document and block its editing to prevent template injection.

Create document 'XWiki.PDFClass' with no style attribute
Set document permissions to block editing

🧯 If You Can't Patch

  • Disable PDF export functionality entirely if not needed
  • Implement strict network controls to limit access to XWiki instance

🔍 How to Verify

Check if Vulnerable:

Check XWiki version against affected ranges: 3.0.1-14.10.19, 15.0-15.5.3, or 15.6-15.9

Check Version:

Check XWiki administration panel or view /xwiki/bin/view/Main/About

Verify Fix Applied:

Confirm version is 14.10.20, 15.5.4, or 15.10-rc-1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual PDF export requests
  • Suspicious template modifications
  • Unexpected system command execution

Network Indicators:

  • Unusual outbound connections from XWiki server
  • PDF export requests with malicious payloads

SIEM Query:

source="xwiki" AND (event="pdf_export" OR event="template_modification")

📊 Metadata

CVE ID: CVE-2024-31981
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-862
Published: April 10, 2024
Last Updated: January 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31981, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)