Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-31982
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
XWiki Platform: Remote code execution as guest via DatabaseSearch
Source: NVD (National Vulnerability Database)
Vulnerability Description
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
动态执行代码中指令转义处理不恰当(Eval注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
XWiki Platform 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
XWiki Platform是XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 存在安全漏洞,该漏洞源于 XWiki 的数据库搜索允许通过搜索文本远程执行代码。这允许公共 wiki 的任何访问者或封闭 wiki 的用户远程执行代码,因为默认情况下所有用户都可以访问数据库搜索。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
xwikixwiki-platform >= 2.4-milestone-1, < 14.10.20 -
II. Public POCs for CVE-2024-31982
#POC DescriptionSource LinkShenlong Link
1Nonehttps://github.com/k3lpi3b4nsh33/CVE-2024-31982POC Details
2A tool for vulnerability detection and exploitation tool for CVE-2024-31982 https://github.com/th3gokul/CVE-2024-31982POC Details
3POC for CVE-2024-31982: XWiki Platform Remote Code Execution > 14.10.20https://github.com/bigb0x/CVE-2024-31982POC Details
4XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-31982.yamlPOC Details
5Nonehttps://github.com/NanoWraith/CVE-2024-31982POC Details
6Vulnerability for Xwikihttps://github.com/raishin1/CVE-2024-31982POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2024-31982
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: xwiki-platform
Same vendor: xwiki
Same weakness: CWE-95
V. Comments for CVE-2024-31982

No comments yet

Leave a comment