CVE-2024-31987: XWiki Platform remote code execution from account via custom skins support
Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.
To reproduce, as a user without edit, script or admin right, add an object of class XWiki.XWikiSkins to your profile. Name it whatever you want and set the Base Skin to flamingo.
Add an object of class XWikiSkinFileOverrideClass and set the path to macros.vm and the content to:
References
- github.com/advisories/GHSA-cv55-v6rw-7r5v
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39
- github.com/xwiki/xwiki-platform/commit/626d2a5dbf95b4e719ae13bf1a0a9c76e4edd5a2
- github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-cv55-v6rw-7r5v
- jira.xwiki.org/browse/XWIKI-21478
- nvd.nist.gov/vuln/detail/CVE-2024-31987
Detect and mitigate CVE-2024-31987 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →