CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
CVE-2023-7245 (GCVE-0-2023-7245)
Vulnerability from cvelistv5 – Published: 2024-02-20 11:08 – Updated: 2024-08-14 14:36
VLAI
Summary
The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable
Severity
7.8 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://openvpn.net/vpn-server-resources/openvpn-… | release-notes |
| https://openvpn.net/vpn-server-resources/openvpn-… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OpenVPN | OpenVPN Connect |
Affected:
3.0 (Windows) , ≤ 3.4.3
(minor releases)
Affected: 3.0 (macOS) , ≤ 3.4.7 (minor releases) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:57:35.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-macos-change-log/"
},
{
"tags": [
"release-notes",
"x_transferred"
],
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-windows-change-log/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:openvpn:connect:*:*:*:*:*:macos:*:*"
],
"defaultStatus": "unknown",
"product": "connect",
"vendor": "openvpn",
"versions": [
{
"lessThan": "3.4.7",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:openvpn:connect:*:*:*:*:*:windows:*:*"
],
"defaultStatus": "unknown",
"product": "connect",
"vendor": "openvpn",
"versions": [
{
"lessThan": "3.4.3",
"status": "affected",
"version": "3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-7245",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-20T20:35:31.784407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-14T14:36:15.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows",
"MacOS"
],
"product": "OpenVPN Connect",
"vendor": "OpenVPN",
"versions": [
{
"lessThanOrEqual": "3.4.3",
"status": "affected",
"version": "3.0 (Windows)",
"versionType": "minor releases"
},
{
"lessThanOrEqual": "3.4.7",
"status": "affected",
"version": "3.0 (macOS) ",
"versionType": "minor releases"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The nodejs framework in OpenVPN Connect 3.0 through 3.4.3 (Windows)/3.4.7 (macOS) was not properly configured, which allows a local user to execute arbitrary code within the nodejs process context via the ELECTRON_RUN_AS_NODE environment variable\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-20T11:08:29.089Z",
"orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
"shortName": "OpenVPN"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-macos-change-log/"
},
{
"tags": [
"release-notes"
],
"url": "https://openvpn.net/vpn-server-resources/openvpn-connect-for-windows-change-log/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
"assignerShortName": "OpenVPN",
"cveId": "CVE-2023-7245",
"datePublished": "2024-02-20T11:08:29.089Z",
"dateReserved": "2024-02-07T13:25:05.853Z",
"dateUpdated": "2024-08-14T14:36:15.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10633 (GCVE-0-2024-10633)
Vulnerability from cvelistv5 – Published: 2025-01-26 05:24 – Updated: 2025-01-27 15:02
VLAI
Title
Quiz Maker Business, Developer, and Agency <= (Multiple Versions) - Unauthenticated Arbitrary Shortcode Execution via content
Summary
The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity
7.3 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| AYS Pro Plugins | Quiz Maker Developer |
Affected:
* , ≤ 21.8.0
(semver)
|
|
| AYS Pro Plugins | Quiz Maker Agency |
Affected:
* , ≤ 31.8.0
(semver)
|
|
| AYS Pro Plugins | Quiz Maker Business |
Affected:
* , ≤ 8.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10633",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-27T15:02:41.296292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-27T15:02:49.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz Maker Developer",
"vendor": "AYS Pro Plugins",
"versions": [
{
"lessThanOrEqual": "21.8.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Quiz Maker Agency",
"vendor": "AYS Pro Plugins",
"versions": [
{
"lessThanOrEqual": "31.8.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Quiz Maker Business",
"vendor": "AYS Pro Plugins",
"versions": [
{
"lessThanOrEqual": "8.8.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "abrahack"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz Maker Business, Developer, and Agency plugins for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.8.0 (Business), up to, and including, 21.8.0 (Developer), and up to, and including, 31.8.0 (Agency). This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-26T05:24:15.723Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb81f83f-a0e7-46d9-b106-fe31f8ad3eb9?source=cve"
},
{
"url": "https://ays-pro.com/wordpress/quiz-maker"
},
{
"url": "https://ays-pro.com/changelog-for-quiz-maker-pro"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-31T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-01-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Quiz Maker Business, Developer, and Agency \u003c= (Multiple Versions) - Unauthenticated Arbitrary Shortcode Execution via content"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10633",
"datePublished": "2025-01-26T05:24:15.723Z",
"dateReserved": "2024-10-31T18:16:45.973Z",
"dateUpdated": "2025-01-27T15:02:49.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21650 (GCVE-0-2024-21650)
Vulnerability from cvelistv5 – Published: 2024-01-08 15:18 – Updated: 2025-06-17 20:39
VLAI
Title
XWiki Remote Code Execution vulnerability via user registration
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests. This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1.
Severity
10 (Critical)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-platform/commit/b2… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-21173 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 2.2, < 14.10.17
Affected: >= 15.0-rc-1, < 15.5.3 Affected: >= 15.6-rc-1, < 15.8-rc-1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.108Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rj7p-xjv7-7229",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rj7p-xjv7-7229"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21173",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21173"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21650",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T20:05:19.685957Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:39:15.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2, \u003c 14.10.17"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5.3"
},
{
"status": "affected",
"version": "\u003e= 15.6-rc-1, \u003c 15.8-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the \"first name\" or \"last name\" fields during user registration. This impacts all installations that have user registration enabled for guests. This vulnerability has been patched in XWiki 14.10.17, 15.5.3 and 15.8 RC1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-08T15:18:12.782Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rj7p-xjv7-7229",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rj7p-xjv7-7229"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/b290bfd573c6f7db6cc15a88dd4111d9fcad0d31"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21173",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21173"
}
],
"source": {
"advisory": "GHSA-rj7p-xjv7-7229",
"discovery": "UNKNOWN"
},
"title": "XWiki Remote Code Execution vulnerability via user registration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21650",
"datePublished": "2024-01-08T15:18:12.782Z",
"dateReserved": "2023-12-29T16:10:20.366Z",
"dateUpdated": "2025-06-17T20:39:15.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27320 (GCVE-0-2024-27320)
Vulnerability from cvelistv5 – Published: 2024-09-12 12:49 – Updated: 2024-09-12 14:48
VLAI
Summary
An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.
Severity
7.8 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "autolabel",
"vendor": "refuel",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.0.8",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27320",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T14:48:06.622811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:48:46.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "autolabel",
"repo": "https://github.com/refuel-ai/autolabel",
"vendor": "Refuel",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.0.8",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it."
}
],
"value": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its classification tasks handle provided CSV files. If a victim user creates a classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it."
}
],
"impacts": [
{
"capecId": "CAPEC-35",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-35 Leverage Executable Code in Non-Executable Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T12:49:43.930Z",
"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
"shortName": "HiddenLayer"
},
"references": [
{
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
"assignerShortName": "HiddenLayer",
"cveId": "CVE-2024-27320",
"datePublished": "2024-09-12T12:49:43.930Z",
"dateReserved": "2024-02-23T16:59:23.010Z",
"dateUpdated": "2024-09-12T14:48:46.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-27321 (GCVE-0-2024-27321)
Vulnerability from cvelistv5 – Published: 2024-09-12 12:50 – Updated: 2024-09-12 14:47
VLAI
Summary
An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it.
Severity
7.8 (High)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
1 reference
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:refuel:autolabel:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "autolabel",
"vendor": "refuel",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.0.8",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27321",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-12T14:44:53.801427Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T14:47:11.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "autolabel",
"repo": "https://github.com/refuel-ai/autolabel",
"vendor": "Refuel",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "0.0.8",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it."
}
],
"value": "An arbitrary code execution vulnerability exists in versions 0.0.8 and newer of the Refuel Autolabel library because of the way its multilabel classification tasks handle provided CSV files. If a user creates a multilabel classification task using a maliciously crafted CSV file containing Python code, the code will be passed to an eval function which executes it."
}
],
"impacts": [
{
"capecId": "CAPEC-35",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-35 Leverage Executable Code in Non-Executable Files"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-12T12:50:47.730Z",
"orgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
"shortName": "HiddenLayer"
},
"references": [
{
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-autolabel/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "6f8de1f0-f67e-45a6-b68f-98777fdb759c",
"assignerShortName": "HiddenLayer",
"cveId": "CVE-2024-27321",
"datePublished": "2024-09-12T12:50:47.730Z",
"dateReserved": "2024-02-23T16:59:23.010Z",
"dateUpdated": "2024-09-12T14:47:11.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31465 (GCVE-0-2024-31465)
Vulnerability from cvelistv5 – Published: 2024-04-10 19:12 – Updated: 2024-08-13 13:56
VLAI
Title
XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet
Summary
XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.20, 15.5.4, and 15.9-rc-1, any user with edit right on any page can execute any code on the server by adding an object of type `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the document `XWiki.SearchSuggestSourceSheet`.
Severity
10 (Critical)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-platform/commit/03… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/27… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/6a… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/6a… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-21474 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 5.2-milestone-2, < 14.10.20
Affected: >= 15.0-rc-1, < 15.5.4 Affected: >= 15.6-rc-1, < 15.10-rc-1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xwiki",
"vendor": "xwiki",
"versions": [
{
"lessThan": "14.10.20",
"status": "affected",
"version": "5.2-milestone-2",
"versionType": "custom"
},
{
"lessThan": "15.5.4",
"status": "affected",
"version": "15.0-rc-1",
"versionType": "custom"
},
{
"lessThan": "15.10-rc-1",
"status": "affected",
"version": "15.6-rc-1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31465",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T18:36:09.920532Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T13:56:21.898Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:52:57.115Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-34fj-r5gq-7395",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-34fj-r5gq-7395"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/0317a3aa78065e66c86fc725976b06bf7f9b446e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/0317a3aa78065e66c86fc725976b06bf7f9b446e"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/2740974c32dbb7cc565546d0f04e2374b32b36f7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/2740974c32dbb7cc565546d0f04e2374b32b36f7"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809#diff-67b473d2b6397d65b7726c6a13555850b11b10128321adf9e627e656e1d130a5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809#diff-67b473d2b6397d65b7726c6a13555850b11b10128321adf9e627e656e1d130a5"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21474",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21474"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.2-milestone-2, \u003c 14.10.20"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5.4"
},
{
"status": "affected",
"version": "\u003e= 15.6-rc-1, \u003c 15.10-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.20, 15.5.4, and 15.9-rc-1, any user with edit right on any page can execute any code on the server by adding an object of type `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the document `XWiki.SearchSuggestSourceSheet`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T19:12:35.517Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-34fj-r5gq-7395",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-34fj-r5gq-7395"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/0317a3aa78065e66c86fc725976b06bf7f9b446e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/0317a3aa78065e66c86fc725976b06bf7f9b446e"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/2740974c32dbb7cc565546d0f04e2374b32b36f7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/2740974c32dbb7cc565546d0f04e2374b32b36f7"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809#diff-67b473d2b6397d65b7726c6a13555850b11b10128321adf9e627e656e1d130a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/6a7f19f6424036fce3d703413137adde950ae809#diff-67b473d2b6397d65b7726c6a13555850b11b10128321adf9e627e656e1d130a5"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21474",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21474"
}
],
"source": {
"advisory": "GHSA-34fj-r5gq-7395",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform: Remote code execution from account via SearchSuggestSourceSheet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31465",
"datePublished": "2024-04-10T19:12:35.517Z",
"dateReserved": "2024-04-03T17:55:32.648Z",
"dateUpdated": "2024-08-13T13:56:21.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31982 (GCVE-0-2024-31982)
Vulnerability from cvelistv5 – Published: 2024-04-10 19:38 – Updated: 2025-09-25 16:39
VLAI
Title
XWiki Platform: Remote code execution as guest via DatabaseSearch
Summary
XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki.
Severity
10 (Critical)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-platform/commit/3c… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/45… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/95… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-21472 | x_refsource_MISC |
| https://www.vicarius.io/vsociety/posts/xwiki-rce-… |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 2.4-milestone-1, < 14.10.20
Affected: >= 15.0-rc-1, < 15.5.4 Affected: >= 15.6-rc-1, < 15.10-rc-1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-09-25T16:39:01.533Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-31982-detect-xwiki-vulnerability"
},
{
"url": "https://www.vicarius.io/vsociety/posts/cve-2024-31982-xwiki-mitigation-vulnerability"
},
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21472",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21472"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki-platform:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"lessThan": "14.10.20",
"status": "affected",
"version": "2.4-milestone-1",
"versionType": "custom"
},
{
"lessThan": "15.5.4",
"status": "affected",
"version": "15.0-rc-1",
"versionType": "custom"
},
{
"lessThan": "15.10-rc-1",
"status": "affected",
"version": "15.6-rc-1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31982",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-20T19:00:50.608451Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-20T19:02:45.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.4-milestone-1, \u003c 14.10.20"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5.4"
},
{
"status": "affected",
"version": "\u003e= 15.6-rc-1, \u003c 15.10-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki\u0027s database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki or user of a closed wiki as the database search is by default accessible for all users. This impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10RC1. As a workaround, one may manually apply the patch to the page `Main.DatabaseSearch`. Alternatively, unless database search is explicitly used by users, this page can be deleted as this is not the default search interface of XWiki."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T18:57:47.669Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2858-8cfx-69m9"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/3c9e4bb04286de94ad24854026a09fa967538e31"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/459e968be8740c8abc2a168196ce21e5ba93cfb8"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/95bdd6cc6298acdf7f8f21298d40eeb8390a8565"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21472",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21472"
},
{
"url": "https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982"
}
],
"source": {
"advisory": "GHSA-2858-8cfx-69m9",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform: Remote code execution as guest via DatabaseSearch"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31982",
"datePublished": "2024-04-10T19:38:01.879Z",
"dateReserved": "2024-04-08T13:48:37.490Z",
"dateUpdated": "2025-09-25T16:39:01.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31984 (GCVE-0-2024-31984)
Vulnerability from cvelistv5 – Published: 2024-04-10 19:53 – Updated: 2024-08-13 13:37
VLAI
Title
XWiki Platform: Remote code execution through space title and Solr space facet
Summary
XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the `Main.SolrSpaceFacet` page.
Severity
10 (Critical)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-platform/commit/43… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/5e… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/74… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/94… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/ac… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/ef… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-21471 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 7.2-rc-1, < 14.10.20
Affected: >= 15.0-rc-1, < 15.5.4 Affected: >= 15.6-rc-1, < 15.10-rc-1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xwiki",
"vendor": "xwiki",
"versions": [
{
"lessThan": "14.10.20",
"status": "affected",
"version": "7.2-rc-1",
"versionType": "custom"
},
{
"lessThan": "15.5.4",
"status": "affected",
"version": "15.0-rc-1",
"versionType": "custom"
},
{
"lessThan": "15.10-rc-1",
"status": "affected",
"version": "15.6-rc-1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31984",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-03T19:49:18.978984Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-13T13:37:31.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.883Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/43c9d551e3c11e9d8f176b556dd33bbe31fc66e0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/43c9d551e3c11e9d8f176b556dd33bbe31fc66e0"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/5ef9d294d37be92ee22b2549e38663b29dce8767",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/5ef9d294d37be92ee22b2549e38663b29dce8767"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/94fc12db87c2431eb1335ecb9c2954b1905bde62",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/94fc12db87c2431eb1335ecb9c2954b1905bde62"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/ef55105d6eeec5635fd693f0070c5aaaf3bdd940",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/ef55105d6eeec5635fd693f0070c5aaaf3bdd940"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21471",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21471"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.2-rc-1, \u003c 14.10.20"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5.4"
},
{
"status": "affected",
"version": "\u003e= 15.6-rc-1, \u003c 15.10-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1. As a workaround, manually apply the patch to the `Main.SolrSpaceFacet` page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T20:11:03.857Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/43c9d551e3c11e9d8f176b556dd33bbe31fc66e0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/43c9d551e3c11e9d8f176b556dd33bbe31fc66e0"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/5ef9d294d37be92ee22b2549e38663b29dce8767",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/5ef9d294d37be92ee22b2549e38663b29dce8767"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/94fc12db87c2431eb1335ecb9c2954b1905bde62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/94fc12db87c2431eb1335ecb9c2954b1905bde62"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/ef55105d6eeec5635fd693f0070c5aaaf3bdd940",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/ef55105d6eeec5635fd693f0070c5aaaf3bdd940"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21471",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21471"
}
],
"source": {
"advisory": "GHSA-xm4h-3jxr-m3c6",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform: Remote code execution through space title and Solr space facet"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31984",
"datePublished": "2024-04-10T19:53:50.690Z",
"dateReserved": "2024-04-08T13:48:37.490Z",
"dateUpdated": "2024-08-13T13:37:31.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31986 (GCVE-0-2024-31986)
Vulnerability from cvelistv5 – Published: 2024-04-10 20:27 – Updated: 2024-08-02 01:59
VLAI
Title
XWiki Platform CSRF remote code execution through scheduler job's document reference
Summary
XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, apply the patch manually by modifying the `Scheduler.WebHome` page.
Severity
9.1 (Critical)
CWE
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-platform/security/… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-platform/commit/8a… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/ef… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-platform/commit/f3… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-21416 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 3.1, < 14.10.19
Affected: >= 15.0-rc-1, < 15.5.4 Affected: >= 15.6-rc-1, < 15.9 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki:3.1:-:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xwiki",
"vendor": "xwiki",
"versions": [
{
"lessThan": "14.10.19",
"status": "affected",
"version": "3.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki:15.0:rc1:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xwiki",
"vendor": "xwiki",
"versions": [
{
"lessThan": "15.5.4",
"status": "affected",
"version": "15.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:xwiki:xwiki:15.6:rc1:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "xwiki",
"vendor": "xwiki",
"versions": [
{
"lessThan": "15.9",
"status": "affected",
"version": "15.6",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31986",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-19T14:43:39.388902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-19T21:06:21.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.842Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21416",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21416"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1, \u003c 14.10.19"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5.4"
},
{
"status": "affected",
"version": "\u003e= 15.6-rc-1, \u003c 15.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, apply the patch manually by modifying the `Scheduler.WebHome` page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T20:27:29.600Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-37m4-hqxv-w26g"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21416",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21416"
}
],
"source": {
"advisory": "GHSA-37m4-hqxv-w26g",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform CSRF remote code execution through scheduler job\u0027s document reference"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31986",
"datePublished": "2024-04-10T20:27:29.600Z",
"dateReserved": "2024-04-08T13:48:37.490Z",
"dateUpdated": "2024-08-02T01:59:50.842Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31996 (GCVE-0-2024-31996)
Vulnerability from cvelistv5 – Published: 2024-04-10 20:46 – Updated: 2024-08-02 01:59
VLAI
Title
XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
Summary
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.
Severity
10 (Critical)
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://github.com/xwiki/xwiki-commons/security/a… | x_refsource_CONFIRM |
| https://github.com/xwiki/xwiki-commons/commit/b08… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-commons/commit/b94… | x_refsource_MISC |
| https://github.com/xwiki/xwiki-commons/commit/ed7… | x_refsource_MISC |
| https://jira.xwiki.org/browse/XCOMMONS-2828 | x_refsource_MISC |
| https://jira.xwiki.org/browse/XWIKI-21438 | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xwiki | xwiki-commons |
Affected:
>= 3.0.1, < 14.10.19
Affected: >= 15.0-rc-1, < 15.5.4 Affected: >= 15.6-rc-1, < 15.9-rc-1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xwiki:commons:3.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commons",
"vendor": "xwiki",
"versions": [
{
"lessThan": "14.10.19",
"status": "affected",
"version": "3.0.1",
"versionType": "custom"
},
{
"lessThan": "15.5.4",
"status": "affected",
"version": "15.0-rc-1",
"versionType": "custom"
},
{
"lessThan": "15.9-rc-1",
"status": "affected",
"version": "15.6-rc-1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31996",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T14:18:52.690268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:19.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2828",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2828"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21438",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21438"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.1, \u003c 14.10.19"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5.4"
},
{
"status": "affected",
"version": "\u003e= 15.6-rc-1, \u003c 15.9-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn\u0027t escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T20:46:19.929Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2828",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2828"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21438",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21438"
}
],
"source": {
"advisory": "GHSA-hf43-47q4-fhq5",
"discovery": "UNKNOWN"
},
"title": "XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31996",
"datePublished": "2024-04-10T20:46:19.929Z",
"dateReserved": "2024-04-08T13:48:37.491Z",
"dateUpdated": "2024-08-02T01:59:50.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phases: Architecture and Design, Implementation
Strategy: Refactoring
Description:
- If possible, refactor your code so that it does not need to use eval() at all.
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Phase: Implementation
Description:
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
- Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
Phase: Implementation
Description:
- For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.