Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.3.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@17.3.0-rc-1
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-4fw7-4s5x-n3fv XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API ### Impact It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html). The XWiki#searchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query (for example in the WHERE). ### Patches This has been patched in 16.10.6 and 17.3.0-rc-1. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-22728 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) CVE-2025-54385
GHSA-p9qm-p942-q3w5

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-07T04:58:17.197336+00:00 GHSA Importer Fixing VCID-4fw7-4s5x-n3fv https://github.com/advisories/GHSA-p9qm-p942-q3w5 38.1.0
2026-04-02T12:41:46.503312+00:00 GitLab Importer Fixing VCID-4fw7-4s5x-n3fv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-oldcore/CVE-2025-54385.yml 38.0.0
2026-04-01T12:56:34.894642+00:00 GithubOSV Importer Fixing VCID-4fw7-4s5x-n3fv https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-p9qm-p942-q3w5/GHSA-p9qm-p942-q3w5.json 38.0.0