VulnerableCode Package Details - pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ka4y-na7f-5kcc	org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack: ``` {{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}}```	CVE-2023-29507 GHSA-pwfv-3cvg-9m4c
VCID-mgyt-2kx1-9yfz	XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.	CVE-2023-26474 GHSA-3738-p9x3-mv9r
VCID-xms6-msad-wkgm	org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents ### Impact Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. ### Patches The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it. ### Workarounds There is no workaround for this vulnerability other than upgrading. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-16285 * Commit: https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)	CVE-2023-29208 GHSA-4f8g-fq6x-jqrr

Vulnerability

Summary

Aliases

VCID-ka4y-na7f-5kcc

org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack: ``` {{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}}```

CVE-2023-29507
GHSA-pwfv-3cvg-9m4c

VCID-mgyt-2kx1-9yfz

XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.

CVE-2023-26474
GHSA-3738-p9x3-mv9r

VCID-xms6-msad-wkgm

org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents ### Impact Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. ### Patches The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it. ### Workarounds There is no workaround for this vulnerability other than upgrading. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-16285 * Commit: https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)

CVE-2023-29208
GHSA-4f8g-fq6x-jqrr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:26:40.614453+00:00	GitLab Importer	Fixing	VCID-ka4y-na7f-5kcc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-29507.yml	38.4.0
2026-04-11T23:44:59.936925+00:00	GitLab Importer	Fixing	VCID-ka4y-na7f-5kcc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-29507.yml	38.3.0
2026-04-02T23:48:37.679616+00:00	GitLab Importer	Fixing	VCID-ka4y-na7f-5kcc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-29507.yml	38.1.0
2026-04-02T16:59:18.759645+00:00	GHSA Importer	Fixing	VCID-ka4y-na7f-5kcc	https://github.com/advisories/GHSA-pwfv-3cvg-9m4c	38.1.0
2026-04-02T16:59:18.073615+00:00	GHSA Importer	Fixing	VCID-xms6-msad-wkgm	https://github.com/advisories/GHSA-4f8g-fq6x-jqrr	38.1.0
2026-04-02T16:59:02.886309+00:00	GHSA Importer	Fixing	VCID-mgyt-2kx1-9yfz	https://github.com/advisories/GHSA-3738-p9x3-mv9r	38.1.0
2026-04-01T12:58:38.458207+00:00	GithubOSV Importer	Fixing	VCID-mgyt-2kx1-9yfz	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3738-p9x3-mv9r/GHSA-3738-p9x3-mv9r.json	38.0.0
2026-04-01T12:57:36.645032+00:00	GithubOSV Importer	Fixing	VCID-ka4y-na7f-5kcc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-pwfv-3cvg-9m4c/GHSA-pwfv-3cvg-9m4c.json	38.0.0
2026-04-01T12:57:35.146339+00:00	GithubOSV Importer	Fixing	VCID-xms6-msad-wkgm	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-4f8g-fq6x-jqrr/GHSA-4f8g-fq6x-jqrr.json	38.0.0
2026-04-01T12:51:08.904196+00:00	GitLab Importer	Fixing	VCID-xms6-msad-wkgm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-29208.yml	38.0.0
2026-04-01T12:51:07.806066+00:00	GitLab Importer	Fixing	VCID-ka4y-na7f-5kcc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-29507.yml	38.0.0
2026-04-01T12:50:58.135302+00:00	GitLab Importer	Fixing	VCID-mgyt-2kx1-9yfz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2023-26474.yml	38.0.0