### [CVE-2024-31981](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31981)
![](https://img.shields.io/static/v1?label=Product&message=xwiki-platform&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2015.0-rc-1%2C%20%3C%2015.5.4%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2015.6-rc-1%2C%20%3C%2015.10-rc-1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%203.0.1%2C%20%3C%2014.10.20%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=15.0-rc-1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=15.6-rc-1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3.01%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-862%3A%20Missing%20Authorization&color=brightgreen)

### Description

XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. If PDF templates are not typically used on the instance, an administrator can create the document `XWiki.PDFClass` and block its edition, after making sure that it does not contain a `style` attribute. Otherwise, there are no known workarounds aside from upgrading.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cve-scores