SCA: security update for org.xwiki.platform:xwiki-platform-realtime-ui (GHSA-r5vh-gc3r-r24w)

high Tenable Self-Hosted Container Security Plugin ID 418512

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19,
15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code
execution with the interaction of an admin user with programming right. More precisely, by getting an
admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the
attacker can get the admin to execute arbitrary XWiki syntax including scripting macros with Groovy or
Python code. This compromises the confidentiality, integrity and availability of the whole XWiki
installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9. As a workaround, one
may update `RTFrontend.ConvertHTML` manually with the patch. This will, however, break some
synchronization processes in the realtime editor, so upgrading should be the preferred way on
installations where this editor is used. (CVE-2024-31988)

See Also

https://github.com/advisories/GHSA-r5vh-gc3r-r24w

Plugin Details

Severity: High

ID: 418512

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.49

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-31988

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/10/2024

Vulnerability Publication Date: 4/10/2024

Reference Information

CVE: CVE-2024-31988

cwe: CWE-352