Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/56341?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56341?format=api", "vulnerability_id": "VCID-7cnk-atkx-zfhx", "summary": "XWiki Platform has an SQL injection in getdocuments.vm with sort parameter\nIn `getdocument.vm` ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL.\n\nDepending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.\n\nIt's possible to employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.", "aliases": [ { "alias": "CVE-2024-55663" }, { "alias": "GHSA-wh34-m772-5398" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83520?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@13.10.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@13.10.5" }, { "url": "http://public2.vulnerablecode.io/api/packages/83521?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.3-rc-1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.3-rc-1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/83519?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@6.3-milestone-2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7cnk-atkx-zfhx" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@6.3-milestone-2" }, { "url": "http://public2.vulnerablecode.io/api/packages/64848?format=api", "purl": "pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.0-rc-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7cnk-atkx-zfhx" }, { "vulnerability": "VCID-p435-wdg5-eqax" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war@14.0-rc-1" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55663", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01904", "scoring_system": "epss", "scoring_elements": "0.83614", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-55663" }, { "reference_url": "https://github.com/xwiki/xwiki-platform", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/xwiki/xwiki-platform" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-13T14:58:07Z/" } ], "url": "https://github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0" }, { "reference_url": "https://jira.xwiki.org/browse/XWIKI-17568", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-13T14:58:07Z/" } ], "url": "https://jira.xwiki.org/browse/XWIKI-17568" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55663", "reference_id": "CVE-2024-55663", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55663" }, { "reference_url": "https://github.com/advisories/GHSA-wh34-m772-5398", "reference_id": "GHSA-wh34-m772-5398", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wh34-m772-5398" }, { "reference_url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398", "reference_id": "GHSA-wh34-m772-5398", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-13T14:58:07Z/" } ], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398" } ], "weaknesses": [ { "cwe_id": 116, "name": "Improper Encoding or Escaping of Output", "description": "The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "7.0 - 8.9", "exploitability": "0.5", "weighted_severity": "8.0", "risk_score": 4.0, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7cnk-atkx-zfhx" }