Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-4fw7-4s5x-n3fv
Summary
XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API
### Impact

It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html).

The XWiki#searchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query (for example in the WHERE).

### Patches

This has been patched in 16.10.6 and 17.3.0-rc-1.

### Workarounds

There is no known workaround, other than upgrading XWiki.

### References

https://jira.xwiki.org/browse/XWIKI-22728

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:security@xwiki.org)
Aliases
0
alias CVE-2025-54385
1
alias GHSA-p9qm-p942-q3w5
Fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.6
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.6
1
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.3.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.3.0-rc-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.3.0-rc-1
Affected_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@1.0
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ep7-j2b3-duat
1
vulnerability VCID-4czm-tywp-h3er
2
vulnerability VCID-4fw7-4s5x-n3fv
3
vulnerability VCID-f872-dkzj-ufac
4
vulnerability VCID-kx6s-546m-gkdv
5
vulnerability VCID-q5t9-725x-dkb1
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@1.0
1
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4fw7-4s5x-n3fv
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc1
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-54385
reference_id
reference_type
scores
0
value 0.0047
scoring_system epss
scoring_elements 0.64586
published_at 2026-04-13T12:55:00Z
1
value 0.0047
scoring_system epss
scoring_elements 0.64627
published_at 2026-04-11T12:55:00Z
2
value 0.0047
scoring_system epss
scoring_elements 0.64615
published_at 2026-04-12T12:55:00Z
3
value 0.0047
scoring_system epss
scoring_elements 0.64633
published_at 2026-04-18T12:55:00Z
4
value 0.0047
scoring_system epss
scoring_elements 0.64621
published_at 2026-04-16T12:55:00Z
5
value 0.00487
scoring_system epss
scoring_elements 0.65416
published_at 2026-04-02T12:55:00Z
6
value 0.00487
scoring_system epss
scoring_elements 0.6547
published_at 2026-04-09T12:55:00Z
7
value 0.00487
scoring_system epss
scoring_elements 0.65459
published_at 2026-04-08T12:55:00Z
8
value 0.00487
scoring_system epss
scoring_elements 0.65406
published_at 2026-04-07T12:55:00Z
9
value 0.00487
scoring_system epss
scoring_elements 0.65443
published_at 2026-04-04T12:55:00Z
10
value 0.00524
scoring_system epss
scoring_elements 0.66961
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-54385
1
reference_url https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-28T18:59:18Z/
url https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html
2
reference_url https://github.com/xwiki/xwiki-platform
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/xwiki/xwiki-platform
3
reference_url https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-28T18:59:18Z/
url https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51
4
reference_url https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-28T18:59:18Z/
url https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5
5
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5
reference_id
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-28T18:59:18Z/
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5
6
reference_url https://jira.xwiki.org/browse/XWIKI-22728
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-28T18:59:18Z/
url https://jira.xwiki.org/browse/XWIKI-22728
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-54385
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-54385
8
reference_url https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-07-28T18:59:18Z/
url https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6
9
reference_url https://github.com/advisories/GHSA-p9qm-p942-q3w5
reference_id GHSA-p9qm-p942-q3w5
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p9qm-p942-q3w5
Weaknesses
0
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id 89
name Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
description The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-4fw7-4s5x-n3fv