CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56158 – XWiki allows SQL injection in query endpoint of REST API with Oracle
https://notcve.org/view.php?id=CVE-2024-56158
12 Jun 2025 — XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 1%CPEs: 2EXPL: 0CVE-2025-48063 – XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right
https://notcve.org/view.php?id=CVE-2025-48063
21 May 2025 — XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means t... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp • CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-46554 – XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
https://notcve.org/view.php?id=CVE-2025-46554
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, ... • https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608 • CWE-862: Missing Authorization •
CVSS: 8.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-46557 – Any user with view access to the XWiki space can change the authenticator
https://notcve.org/view.php?id=CVE-2025-46557
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administration and (unless an authenticator is set in xwiki.cfg) switch to another installed authenticator. Note that, by default, there is only one authenticator available (Standard XWiki Authenticator). So, if no authentica... • https://github.com/xwiki/xwiki-platform/commit/5efc31cea1501c9a5cb593566fea8b558ff32a2a • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32973 – org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
https://notcve.org/view.php?id=CVE-2025-32973
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For th... • https://github.com/xwiki/xwiki-platform/commit/1a6f1b2e050770331c9a63d12a3fd8a36d199f62 • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32972 – The lesscss script service allows cache clearing without programming right
https://notcve.org/view.php?id=CVE-2025-32972
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and sc... • https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e • CWE-285: Improper Authorization •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32971 – XWiki Solr script service doesn't take dropped programming right into account
https://notcve.org/view.php?id=CVE-2025-32971
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling `$xco... • https://github.com/xwiki/xwiki-platform/commit/6570f40f976aec82baf388b5239d1412cab238c9 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32970 – org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
https://notcve.org/view.php?id=CVE-2025-32970
30 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0. • https://github.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 5%CPEs: 3EXPL: 0CVE-2025-32969 – org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
https://notcve.org/view.php?id=CVE-2025-32969
23 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used... • https://github.com/xwiki/xwiki-platform/commit/5c11a874bd24a581f534d283186e209bbccd8113 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-32968 – org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API
https://notcve.org/view.php?id=CVE-2025-32968
23 Apr 2025 — XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has b... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9jj-75mx-wjcx • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •