Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/64848?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/64848?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.0-rc-1", "type": "maven", "namespace": "org.xwiki.platform", "name": "xwiki-platform-distribution-war", "version": "14.0-rc-1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "14.3-rc-1", "latest_non_vulnerable_version": "17.3.0-rc-1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56341?format=api", "vulnerability_id": "VCID-7cnk-atkx-zfhx", "summary": "XWiki Platform has an SQL injection in getdocuments.vm with sort parameter\nIn `getdocument.vm` ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL.\n\nDepending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.\n\nIt's possible to employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.", "references": [ { "reference_url": "https://github.com/xwiki/xwiki-platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0" }, { "reference_url": "https://jira.xwiki.org/browse/XWIKI-17568", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jira.xwiki.org/browse/XWIKI-17568" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55663", "reference_id": "CVE-2024-55663", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55663" }, { "reference_url": "https://github.com/advisories/GHSA-wh34-m772-5398", "reference_id": "GHSA-wh34-m772-5398", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wh34-m772-5398" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398", "reference_id": "GHSA-wh34-m772-5398", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83521?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.3-rc-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.3-rc-1" } ], "aliases": [ "CVE-2024-55663", "GHSA-wh34-m772-5398" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7cnk-atkx-zfhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44996?format=api", "vulnerability_id": "VCID-p435-wdg5-eqax", "summary": "Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')\nXWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint. This provides an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights and subsequent code execution privilege. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8 and 14.10.3. Users are advised to upgrade. Users unable to upgrade may modify the page `XWiki.Notifications.Code.LegacyNotificationAdministration` to add the missing escaping. For versions < 14.6-rc-1 a workaround is to modify the file `<xwikiwebapp>/templates/distribution/eventmigration.wiki` to add the missing escaping.", "references": [ { "reference_url": "https://github.com/xwiki/xwiki-platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/commit/6d74e2e4aa03d19f0be385ab63ae9e0f0e90a766", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform/commit/6d74e2e4aa03d19f0be385ab63ae9e0f0e90a766" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/commit/8e7c7f90f2ddaf067cb5b83b181af41513028754#diff-4e13f4ee4a42938bf1201b7ee71ca32edeacba22559daf0bcb89d534e0225949R70", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform/commit/8e7c7f90f2ddaf067cb5b83b181af41513028754#diff-4e13f4ee4a42938bf1201b7ee71ca32edeacba22559daf0bcb89d534e0225949R70" }, { "reference_url": "https://jira.xwiki.org/browse/XWIKI-20287", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://jira.xwiki.org/browse/XWIKI-20287" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29525", "reference_id": "CVE-2023-29525", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29525" }, { "reference_url": "https://github.com/advisories/GHSA-jgg7-w2rj-58cj", "reference_id": "GHSA-jgg7-w2rj-58cj", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-jgg7-w2rj-58cj" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgg7-w2rj-58cj", "reference_id": "GHSA-jgg7-w2rj-58cj", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgg7-w2rj-58cj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64851?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.4.8", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.4.8" }, { "url": "http://public2.vulnerablecode.io/api/packages/64852?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.6-rc-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.6-rc-1" } ], "aliases": [ "CVE-2023-29525", "GHSA-jgg7-w2rj-58cj" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p435-wdg5-eqax" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.0-rc-1" }