📦 Xwiki

XWiki Platform versions 6.1-milestone-2 through 16.10.6 expose configuration files via the webjars API, allowing attackers to access sensitive system information. This affects all XWiki installations ...

This CVE describes a critical SQL injection vulnerability in XWiki Platform that allows attackers to execute arbitrary SQL queries on Oracle databases. The vulnerability affects XWiki versions 16.10.5...

This CVE describes a critical SQL injection vulnerability in XWiki Platform that allows unauthenticated attackers to execute arbitrary SQL commands via the 'sort' parameter in getdeleteddocuments.vm. ...

This vulnerability in XWiki Rendering allows cross-site scripting (XSS) attacks through raw HTML blocks in the XHTML syntax. Users who can edit documents (like user profiles, enabled by default) can i...

This vulnerability allows authenticated XWiki users to execute arbitrary SQL queries on Oracle databases through unsanitized DBMS_XMLGEN and DBMS_XMLQUERY functions in HQL queries. This affects XWiki ...

This vulnerability allows any user with access to XWiki pages to switch authentication methods, potentially disrupting authentication systems. It affects XWiki installations with specific version rang...

This vulnerability in XWiki allows attackers to gain programming rights through a privilege escalation attack. An attacker with edit rights can create a malicious object that grants them elevated priv...

This vulnerability allows remote unauthenticated attackers to perform blind SQL injection on XWiki instances, potentially executing arbitrary SQL statements on the database backend. Attackers can read...

This vulnerability allows any user to exploit the WikiManager REST API in XWiki Platform to create a new wiki and gain administrator privileges. This affects XWiki installations where the REST module ...

In XWiki Platform, users with only edit rights can join realtime editing sessions and insert script rendering macros that execute for users with script/programming rights. This allows privilege escala...

This vulnerability allows any authenticated user in XWiki Platform to execute arbitrary code remotely by adding malicious WikiMacroClass instances to pages. This compromises the entire XWiki installat...

This vulnerability allows any XWiki user with script rights to execute arbitrary remote code by adding XWiki.ConfigurableClass instances to pages. This compromises the entire XWiki installation's conf...

This CVE describes an SQL injection vulnerability in XWiki Platform's getdocument.vm template where unsanitized request parameters allow HQL injection. Any user can exploit this to potentially access ...

This vulnerability allows unprivileged users to trick administrators into editing malicious content in XWiki's WYSIWYG editor, executing arbitrary code with elevated privileges. It affects XWiki Platf...

This XWiki vulnerability allows attackers to inject and execute JavaScript code in the context of higher-privileged users by creating edit conflicts. This compromises the entire XWiki installation's c...

This vulnerability allows any user with edit rights on any XWiki page to perform arbitrary remote code execution by adding specific objects to their user profile or other pages. This compromises the e...

This vulnerability in XWiki Platform allows privilege escalation through macro execution context manipulation. When using the include macro, content executes with the includer's permissions rather tha...

This vulnerability in XWiki Platform allows privilege escalation through improper access control. When an administrator disables a user account, the user's profile content executes with administrator ...

CVE-2024-31997 is a critical remote code execution vulnerability in XWiki Platform where UI extension parameters are improperly executed as Velocity code with programming rights. Any user with edit pe...

This vulnerability allows remote code execution in XWiki Platform when the realtime editor is installed. An attacker can craft a malicious URL or image that, when viewed by an admin user with programm...

XWiki REST API lacks request size limits, allowing attackers to request all wiki pages in a single call. This can cause excessive memory consumption leading to service slowdown or denial-of-service. A...

This vulnerability in XWiki Jetty package (XJetty) exposes a context that allows static access to any file in the webapp/ folder. Attackers can potentially access sensitive files containing credential...

This vulnerability allows authenticated administrators in XWiki to inject malicious Apache Velocity templates through the Global Preferences Presentation interface. Successful exploitation enables ser...

This vulnerability allows any XWiki user with edit rights on an App Within Minutes application to escalate privileges to programming rights, leading to remote code execution. All XWiki users with defa...

This vulnerability in XWiki allows attackers to access page titles through the REST API without proper authorization. It affects XWiki installations where page names are obfuscated but titles contain ...

XWiki's required rights analyzers for dangerous macros are incomplete, allowing attackers to hide malicious content by using non-lowercase parameters or unanalyzed parameters. This could lead to remot...

This vulnerability in XWiki allows users with edit rights on any page (including their own profile) to execute arbitrary code with programming rights by manipulating wiki macro parameters. Attackers c...

A bug in XWiki's required rights enforcement allows users with edit rights to set programming rights as required rights on documents. If a user with programming rights then edits that document, it gai...

XWiki Platform subwikis with 'Prevent unregistered users to view pages' or similar privacy settings are vulnerable to unauthorized access through REST API calls. This allows unauthenticated attackers ...

CVE-2024-21648 is an authorization bypass vulnerability in XWiki Platform where the rollback action lacks proper permission checks. This allows authenticated users to rollback pages to previous versio...

This vulnerability in XWiki Platform allows attackers to execute Velocity scripts without proper script rights through the document tree. This affects all XWiki installations running vulnerable versio...

This CSRF vulnerability in XWiki Admin Tools allows attackers to execute arbitrary database queries when an admin user views malicious content. It affects XWiki instances with Admin Tools Application ...

This vulnerability in XWiki Platform allows attackers with edit access to any document (including default-editable user profiles) to move any attachment from any other document to their controlled doc...

This is a cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious JavaScript via specially crafted URLs. When exploited, it enables execution of arbitrary ...

This vulnerability in XWiki Platform allows attackers to retrieve email addresses of all users even when mail obfuscation is enabled. While emails appear obfuscated in the user interface, the underlyi...

CVE-2023-29521 is a critical remote code execution vulnerability in XWiki Platform where any user with view rights can execute arbitrary Groovy, Python, or Velocity code due to improper escaping in th...

This stored cross-site scripting (XSS) vulnerability in XWiki Commons allows users without script rights to inject malicious scripts via the Live Data macro, which execute when viewed by other users. ...

This cross-site scripting (XSS) vulnerability in XWiki allows attackers to inject malicious JavaScript via column names in Livetable and Documents macros. Users without script rights can exploit this ...

This vulnerability in XWiki Platform allows attackers to deduce password field contents through repeated calls to LiveTableResults and WikisLiveTableResultsMacros macros. It affects all XWiki installa...

This CVE allows users without script rights to perform stored cross-site scripting (XSS) attacks via the Live Data macro in XWiki Platform. Attackers can inject malicious scripts that execute when oth...

This CVE describes a cross-site scripting (XSS) vulnerability in XWiki Platform Filter UI that allows attackers to inject malicious scripts into form fields on the application's home page. When exploi...

This CVE describes a cross-site scripting (XSS) vulnerability in XWiki Platform's Flamingo Theme UI. Attackers can inject malicious scripts via the 'newThemeName' form field, potentially compromising ...

This is a cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious scripts via the xredirect parameter in the registration template. It affects XWiki instan...

CVE-2022-23616 allows unprivileged users to execute arbitrary code on XWiki Platform instances by injecting Groovy scripts into their profiles and triggering the password reset feature. This vulnerabi...

This vulnerability in XWiki allows attackers to determine whether an email address has an associated user account and identify the corresponding username(s) through the Forgot Username page. The lack ...

This vulnerability allows authenticated users without Script or Programming rights to execute privileged scripts by editing gadget titles in XWiki Platform dashboards. It affects XWiki Platform versio...

This vulnerability allows SQL injection in XWiki Platform's Ratings API for users with Script rights. Attackers can execute arbitrary SQL queries, potentially accessing, modifying, or deleting databas...

This CVE allows privilege escalation in XWiki Platform where the {{wikimacrocontent}} executes content with wiki macro author rights instead of caller rights, enabling script injection with programmin...

This vulnerability in XWiki Platform allows attackers to inject malicious CSS through comments, which can transform the entire wiki interface into a clickable area redirecting users to malicious websi...

This reflected XSS vulnerability in XWiki Platform allows attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers. If victims have administrative or programming rights...

This CVE describes a reflected cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious scripts into deletion confirmation messages. When victims click the ...

Authenticated administrators in XWiki can inject malicious JavaScript into administration interface fields, which then executes persistently in visitors' browsers. This affects all XWiki instances up ...

XWiki Platform REST endpoints improperly list protected pages even when users lack view permissions. This information disclosure vulnerability affects XWiki instances with protected pages or entire wi...

This vulnerability allows any authenticated user on the main XWiki wiki to execute scheduling operations on subwikis without proper authorization. It affects XWiki Platform instances with subwikis whe...

This vulnerability in XWiki Platform allows any authenticated user to manipulate another user's notification filter preferences by knowing the filter ID. Attackers can enable, disable, or delete notif...

This vulnerability in XWiki Platform allows users with view-only permissions on a page to delete and replace it with new content, bypassing edit and delete rights. The previous page version is moved t...