Search for packages
| purl | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.0.0-rc1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4fw7-4s5x-n3fv
Aliases: CVE-2025-54385 GHSA-p9qm-p942-q3w5 |
XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API ### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html). The XWiki#searchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query (for example in the WHERE). ### Patches This has been patched in 16.10.6 and 17.3.0-rc-1. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-22728 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-07T04:58:17.193495+00:00 | GHSA Importer | Affected by | VCID-4fw7-4s5x-n3fv | https://github.com/advisories/GHSA-p9qm-p942-q3w5 | 38.1.0 |
| 2026-04-02T12:41:46.491008+00:00 | GitLab Importer | Affected by | VCID-4fw7-4s5x-n3fv | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2025-54385.yml | 38.0.0 |