CVE-2024-31988
📋 TL;DR
This vulnerability allows remote code execution in XWiki Platform when the realtime editor is installed. An attacker can craft a malicious URL or image that, when viewed by an admin user with programming rights, executes arbitrary XWiki syntax including Groovy or Python code. This affects XWiki installations running versions 13.9-rc-1 through 14.10.18, 15.0 through 15.5.3, and 15.6 through 15.9.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the XWiki installation allowing attacker to execute arbitrary code, access all data, modify content, and potentially pivot to other systems.
Likely Case
Attacker gains administrative access to XWiki, can read/modify all wiki content, install malicious extensions, and potentially access underlying server resources.
If Mitigated
If proper access controls and network segmentation are in place, impact may be limited to the XWiki instance itself without lateral movement.
🎯 Exploit Status
Exploitation requires social engineering to get admin to visit crafted URL or view malicious image, but technical complexity is low once admin interaction occurs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.19, 15.5.4, or 15.10-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5vh-gc3r-r24w
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Download and install patched version (14.10.19, 15.5.4, or 15.10-rc-1). 3. Restart XWiki service. 4. Verify patch is applied.
🔧 Temporary Workarounds
Manual RTFrontend.ConvertHTML Update
allManually apply the patch to RTFrontend.ConvertHTML to fix the vulnerability without full upgrade.
Apply patch from GitHub commit: https://github.com/xwiki/xwiki-platform/commit/4896712ee6483da623f131be2e618f1f2b79cb8d
🧯 If You Can't Patch
- Remove realtime editor from XWiki installation
- Restrict admin user access and implement strict URL/content filtering
🔍 How to Verify
Check if Vulnerable:
Check XWiki version and verify if realtime editor is installed. Versions between 13.9-rc-1 and 14.10.18, 15.0-15.5.3, or 15.6-15.9 with realtime editor are vulnerable.Check Version:
Check XWiki version in Administration → About section or examine xwiki.properties file.Verify Fix Applied:
Verify XWiki version is 14.10.19, 15.5.4, or 15.10-rc-1 or later. Check that RTFrontend.ConvertHTML has been updated.📡 Detection & Monitoring
Log Indicators:
- Unusual admin user activity patterns
- Execution of Groovy/Python macros from unexpected sources
- Access to crafted URLs with suspicious parameters
Network Indicators:
- Requests to XWiki with crafted image URLs or parameters triggering realtime editor functions
SIEM Query:
source="xwiki.log" AND ("Groovy" OR "Python") AND "macro" AND user="admin"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/4896712ee6483da623f131be2e618f1f2b79cb8d
- https://github.com/xwiki/xwiki-platform/commit/9f8cc88497418750b09ce9fde5d67d840f038fbf
- https://github.com/xwiki/xwiki-platform/commit/d88da4572fb7d4f95e1f54bb0cce33fce3df08d9
- https://github.com/xwiki/xwiki-platform/commit/d9f5043da289ff106f08e23576746fd8baf98794
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5vh-gc3r-r24w
- https://jira.xwiki.org/browse/XWIKI-21424
- https://github.com/xwiki/xwiki-platform/commit/4896712ee6483da623f131be2e618f1f2b79cb8d
- https://github.com/xwiki/xwiki-platform/commit/9f8cc88497418750b09ce9fde5d67d840f038fbf
- https://github.com/xwiki/xwiki-platform/commit/d88da4572fb7d4f95e1f54bb0cce33fce3df08d9
- https://github.com/xwiki/xwiki-platform/commit/d9f5043da289ff106f08e23576746fd8baf98794
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5vh-gc3r-r24w
- https://jira.xwiki.org/browse/XWIKI-21424
