cve/2024/CVE-2024-31986.md

### [CVE-2024-31986](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-31986)
![](https://img.shields.io/static/v1?label=Product&message=xwiki-platform&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2015.0-rc-1%2C%20%3C%2015.5.4%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%2015.6-rc-1%2C%20%3C%2015.9%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%203.1%2C%20%3C%2014.10.19%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=15.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=15.6%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3.1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-352%3A%20Cross-Site%20Request%20Forgery%20(CSRF)&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-95%3A%20Improper%20Neutralization%20of%20Directives%20in%20Dynamically%20Evaluated%20Code%20('Eval%20Injection')&color=brightgreen)

### Description

XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, apply the patch manually by modifying the `Scheduler.WebHome` page.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cve-scores