Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qMnI2LXI5MjktdjZnZs4AA63s
XWiki Platform CSRF in the job scheduler
Impact
It is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image.
To reproduce in an XWiki installation, open <xwiki-host>:/xwiki/bin/view/Scheduler/?do=trigger&which=Scheduler.NotificationEmailDailySender
as a user with admin rights. If there is no error message that indicates the CSRF token is invalid, the installation is vulnerable.
Patches
The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9.
Workarounds
Modify the Scheduler.WebHome page following this patch.
References
- https://jira.xwiki.org/browse/XWIKI-20851
- https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qMnI2LXI5MjktdjZnZs4AA63s
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 23 days ago
Updated: 22 days ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Identifiers: GHSA-j2r6-r929-v6gf, CVE-2024-31985
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2r6-r929-v6gf
- https://github.com/xwiki/xwiki-platform/commit/8a92cb4bef7e5f244ae81eed3e64fe9be95827cf
- https://github.com/xwiki/xwiki-platform/commit/efd3570f3e5e944ec0ad0899bf799bf9563aef87
- https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
- https://github.com/xwiki/xwiki-platform/commit/f30d9c641750a3f034b5910c6a3a7724ae8f2269
- https://jira.xwiki.org/browse/XWIKI-20851
- https://nvd.nist.gov/vuln/detail/CVE-2024-31985
- https://github.com/advisories/GHSA-j2r6-r929-v6gf
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-scheduler-ui
Affected Version Ranges: >= 15.6-rc-1, < 15.9, >= 15.0-rc-1, < 15.5.4, >= 3.1, < 14.10.19Fixed in: 15.9, 15.5.4, 14.10.19