Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.xwiki.commons/xwiki-commons-velocity@3.2-rc-1

Type maven

Namespace org.xwiki.commons

Name xwiki-commons-velocity

Version 3.2-rc-1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 14.10.19

Latest_non_vulnerable_version 15.9-rc-1

Affected_by_vulnerabilities

url VCID-4j8w-ppxr-5uhn

vulnerability_id VCID-4j8w-ppxr-5uhn

summary

Arbitrary filesystem write access from velocity.
The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-24897

reference_id

reference_type

scores

value	0.00325
scoring_system	epss
scoring_elements	0.55831
published_at	2026-06-09T12:55:00Z

value	0.00325
scoring_system	epss
scoring_elements	0.55778
published_at	2026-06-04T12:55:00Z

value	0.00325
scoring_system	epss
scoring_elements	0.55835
published_at	2026-06-05T12:55:00Z

value	0.00325
scoring_system	epss
scoring_elements	0.55841
published_at	2026-06-06T12:55:00Z

value	0.00325
scoring_system	epss
scoring_elements	0.55828
published_at	2026-06-07T12:55:00Z

value	0.00325
scoring_system	epss
scoring_elements	0.5581
published_at	2026-06-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-24897

reference_url

https://github.com/xwiki/xwiki-commons

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/xwiki/xwiki-commons

reference_url

https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:43:18Z/

url

https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8

reference_url

https://github.com/xwiki/xwiki-commons/pull/127

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:43:18Z/

url

https://github.com/xwiki/xwiki-commons/pull/127

reference_url

https://jira.xwiki.org/browse/XWIKI-5168

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:43:18Z/

url

https://jira.xwiki.org/browse/XWIKI-5168

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-24897

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-24897

reference_url

https://github.com/advisories/GHSA-cvx5-m8vg-vxgc

reference_id

GHSA-cvx5-m8vg-vxgc

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cvx5-m8vg-vxgc

reference_url

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc

reference_id

GHSA-cvx5-m8vg-vxgc

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-04-22T15:43:18Z/

url

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc

fixed_packages

url pkg:maven/org.xwiki.commons/xwiki-commons-velocity@12.6.7

purl pkg:maven/org.xwiki.commons/xwiki-commons-velocity@12.6.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hvr3-f52j-5fah

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.commons/xwiki-commons-velocity@12.6.7

url pkg:maven/org.xwiki.commons/xwiki-commons-velocity@12.10.3

purl pkg:maven/org.xwiki.commons/xwiki-commons-velocity@12.10.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hvr3-f52j-5fah

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.commons/xwiki-commons-velocity@12.10.3

aliases CVE-2022-24897, GHSA-cvx5-m8vg-vxgc, GMS-2022-1102

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4j8w-ppxr-5uhn

url VCID-hvr3-f52j-5fah

vulnerability_id VCID-hvr3-f52j-5fah

summary

XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
The HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-31996

reference_id

reference_type

scores

value	0.0805
scoring_system	epss
scoring_elements	0.92277
published_at	2026-06-07T12:55:00Z

value	0.0805
scoring_system	epss
scoring_elements	0.92292
published_at	2026-06-09T12:55:00Z

value	0.0805
scoring_system	epss
scoring_elements	0.92278
published_at	2026-06-08T12:55:00Z

value	0.0805
scoring_system	epss
scoring_elements	0.92281
published_at	2026-06-06T12:55:00Z

value	0.0805
scoring_system	epss
scoring_elements	0.92283
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-31996

reference_url

https://github.com/xwiki/xwiki-commons

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/xwiki/xwiki-commons

reference_url

https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-03T14:18:52Z/

url

https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa

reference_url

https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-03T14:18:52Z/

url

https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a

reference_url

https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-03T14:18:52Z/

url

https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915

reference_url

https://jira.xwiki.org/browse/XCOMMONS-2828

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-03T14:18:52Z/

url

https://jira.xwiki.org/browse/XCOMMONS-2828

reference_url

https://jira.xwiki.org/browse/XWIKI-21438

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-03T14:18:52Z/

url

https://jira.xwiki.org/browse/XWIKI-21438

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-31996

reference_id

CVE-2024-31996

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-31996

reference_url

https://github.com/advisories/GHSA-hf43-47q4-fhq5

reference_id

GHSA-hf43-47q4-fhq5

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hf43-47q4-fhq5

reference_url

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5

reference_id

GHSA-hf43-47q4-fhq5

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-03T14:18:52Z/

url

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5

fixed_packages

url	pkg:maven/org.xwiki.commons/xwiki-commons-velocity@14.10.19
purl	pkg:maven/org.xwiki.commons/xwiki-commons-velocity@14.10.19
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.commons/xwiki-commons-velocity@14.10.19

url	pkg:maven/org.xwiki.commons/xwiki-commons-velocity@15.5.4
purl	pkg:maven/org.xwiki.commons/xwiki-commons-velocity@15.5.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.commons/xwiki-commons-velocity@15.5.4

url	pkg:maven/org.xwiki.commons/xwiki-commons-velocity@15.9-rc-1
purl	pkg:maven/org.xwiki.commons/xwiki-commons-velocity@15.9-rc-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.commons/xwiki-commons-velocity@15.9-rc-1

aliases CVE-2024-31996, GHSA-hf43-47q4-fhq5

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hvr3-f52j-5fah

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.commons/xwiki-commons-velocity@3.2-rc-1

Package Instance