Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.2
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@16.10.2
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-f872-dkzj-ufac XWiki allows SQL injection in query endpoint of REST API with Oracle ### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html). The XWiki query validator does not sanitize functions that would be used in a simple `select` and Hibernate allows using any native function in an HQL query. ### Patches This has been patched in 16.10.2, 16.4.7 and 15.10.16. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-22734 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) CVE-2024-56158
GHSA-prwh-7838-xf82

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-07T04:58:00.935789+00:00 GHSA Importer Fixing VCID-f872-dkzj-ufac https://github.com/advisories/GHSA-prwh-7838-xf82 38.1.0
2026-04-02T12:41:33.615748+00:00 GitLab Importer Fixing VCID-f872-dkzj-ufac https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2024-56158.yml 38.0.0
2026-04-01T12:56:55.219129+00:00 GithubOSV Importer Fixing VCID-f872-dkzj-ufac https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-prwh-7838-xf82/GHSA-prwh-7838-xf82.json 38.0.0