CVE-2024-31996: XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
The HTML escaping of escaping tool that is used in XWiki doesn’t escape {, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution.
References
- github.com/advisories/GHSA-hf43-47q4-fhq5
- github.com/xwiki/xwiki-commons
- github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa
- github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a
- github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915
- github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5
- jira.xwiki.org/browse/XCOMMONS-2828
- jira.xwiki.org/browse/XWIKI-21438
- nvd.nist.gov/vuln/detail/CVE-2024-31996
Code Behaviors & Features
Detect and mitigate CVE-2024-31996 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →