Search for packages
| purl | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1ep7-j2b3-duat
Aliases: CVE-2024-21648 GHSA-xh35-w7wg-95v3 |
XWiki has no right protection on rollback action ### Impact The rollback action is missing a right protection: it means that a user can rollback to a previous version of the page to gain rights they don't have anymore. This vulnerability impacts all version of XWiki since rollback action is available. ### Patches The problem has been patched in XWiki 14.10.16, 15.5.3 and 15.8-rc-1 by ensuring that the rights are checked before performing the rollback. ### Workarounds There's no workaround for this vulnerability, except paying attention to delete old versions of documents that could allow users to gain more rights. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-21257 * Commit: [4de72875ca49602796165412741033bfdbf1e680](https://github.com/xwiki/xwiki-platform/commit/4de72875ca49602796165412741033bfdbf1e680) ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) |
Affected by 0 other vulnerabilities. |
|
VCID-4czm-tywp-h3er
Aliases: CVE-2023-46243 GHSA-g2qq-c5j9-5w5w |
XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+ Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are advised to update. There are no known workarounds for this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4fw7-4s5x-n3fv
Aliases: CVE-2025-54385 GHSA-p9qm-p942-q3w5 |
XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API ### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html). The XWiki#searchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query (for example in the WHERE). ### Patches This has been patched in 16.10.6 and 17.3.0-rc-1. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-22728 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-f872-dkzj-ufac
Aliases: CVE-2024-56158 GHSA-prwh-7838-xf82 |
XWiki allows SQL injection in query endpoint of REST API with Oracle ### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html). The XWiki query validator does not sanitize functions that would be used in a simple `select` and Hibernate allows using any native function in an HQL query. ### Patches This has been patched in 16.10.2, 16.4.7 and 15.10.16. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-22734 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kx6s-546m-gkdv
Aliases: CVE-2023-46242 GHSA-hgpw-6p4h-j6h5 |
Cross-Site Request Forgery (CSRF) XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. There are no known workarounds for for this vulnerability. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q5t9-725x-dkb1
Aliases: CVE-2022-23615 GHSA-f4cj-3q3h-884r |
Partial authorization bypass on document save in xwiki-platform XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current user has programming right. This has been patched in XWiki 13.0. Users are advised to update to resolve this issue. The only known workaround is to limit SCRIPT access. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||