VulnerableCode Package Details - pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.0.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-q2b9-583a-9yd9	XWiki Platform allows remote code execution from user account ### Impact When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. ### Patches This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21611 * https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a	CVE-2024-37899 GHSA-j584-j2vj-3f93
VCID-zv2f-hpz1-ruba	XWiki Platform allows XSS through XClass name in string properties ### Impact Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. #### Reproduction steps 1. As a user without script or programming right, create a (non-terminal) document named `" + alert(1) + "` (the quotes need to be part of the name). 1. Edit the class. 1. Add a string property named `"test"`. 1. Edit using the object editor and add an object of the created class 1. Get an admin to open `<xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=edit` where `<xwiki-server>` is the URL of your XWiki installation. ### Patches This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. ### Workarounds We're not aware of any workaround except upgrading. ### References - https://jira.xwiki.org/browse/XWIKI-21810 - https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c	CVE-2024-43400 GHSA-wcg9-pgqv-xm5v

Vulnerability

Summary

Aliases

VCID-q2b9-583a-9yd9

XWiki Platform allows remote code execution from user account ### Impact When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. ### Patches This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21611 * https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a

CVE-2024-37899
GHSA-j584-j2vj-3f93

VCID-zv2f-hpz1-ruba

XWiki Platform allows XSS through XClass name in string properties ### Impact Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. #### Reproduction steps 1. As a user without script or programming right, create a (non-terminal) document named `" + alert(1) + "` (the quotes need to be part of the name). 1. Edit the class. 1. Add a string property named `"test"`. 1. Edit using the object editor and add an object of the created class 1. Get an admin to open `<xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=edit` where `<xwiki-server>` is the URL of your XWiki installation. ### Patches This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. ### Workarounds We're not aware of any workaround except upgrading. ### References - https://jira.xwiki.org/browse/XWIKI-21810 - https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c

CVE-2024-43400
GHSA-wcg9-pgqv-xm5v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:06:20.370898+00:00	GitLab Importer	Fixing	VCID-zv2f-hpz1-ruba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-43400.yml	38.4.0
2026-04-16T23:02:54.765482+00:00	GitLab Importer	Fixing	VCID-q2b9-583a-9yd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-37899.yml	38.4.0
2026-04-12T00:24:20.695107+00:00	GitLab Importer	Fixing	VCID-zv2f-hpz1-ruba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-43400.yml	38.3.0
2026-04-12T00:20:44.051369+00:00	GitLab Importer	Fixing	VCID-q2b9-583a-9yd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-37899.yml	38.3.0
2026-04-03T00:31:56.074078+00:00	GitLab Importer	Fixing	VCID-zv2f-hpz1-ruba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-43400.yml	38.1.0
2026-04-03T00:28:16.990991+00:00	GitLab Importer	Fixing	VCID-q2b9-583a-9yd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-37899.yml	38.1.0
2026-04-02T12:39:56.573583+00:00	GitLab Importer	Fixing	VCID-zv2f-hpz1-ruba	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-43400.yml	38.0.0
2026-04-02T12:39:38.336684+00:00	GitLab Importer	Fixing	VCID-q2b9-583a-9yd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-37899.yml	38.0.0
2026-04-01T16:06:16.600830+00:00	GHSA Importer	Fixing	VCID-zv2f-hpz1-ruba	https://github.com/advisories/GHSA-wcg9-pgqv-xm5v	38.0.0
2026-04-01T16:05:53.268449+00:00	GHSA Importer	Fixing	VCID-q2b9-583a-9yd9	https://github.com/advisories/GHSA-j584-j2vj-3f93	38.0.0
2026-04-01T12:51:34.803745+00:00	GithubOSV Importer	Fixing	VCID-q2b9-583a-9yd9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-j584-j2vj-3f93/GHSA-j584-j2vj-3f93.json	38.0.0
2026-04-01T12:50:40.890606+00:00	GithubOSV Importer	Fixing	VCID-zv2f-hpz1-ruba	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-wcg9-pgqv-xm5v/GHSA-wcg9-pgqv-xm5v.json	38.0.0