CVSS: 10.0EPSS: 93%CPEs: 2EXPL: 6CVE-2025-24893 – Remote code execution as guest via SolrSearchMacros request in xwiki
https://notcve.org/view.php?id=CVE-2025-24893
20 Feb 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary remote code execution through a request to `SolrSearch`. This impacts the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, without being logged in, go to `
CVSS: 9.0EPSS: 4%CPEs: 3EXPL: 0CVE-2025-23025 – Privilege escalation (PR) through realtime WYSIWYG editing in XWiki
https://notcve.org/view.php?id=CVE-2025-23025
14 Jan 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights... • https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 41%CPEs: 2EXPL: 0CVE-2024-55879 – XWiki allows RCE from script right in configurable sections
https://notcve.org/view.php?id=CVE-2024-55879
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading. • https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 63%CPEs: 3EXPL: 0CVE-2024-55877 – XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
https://notcve.org/view.php?id=CVE-2024-55877
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a ... • https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-55876 – XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
https://notcve.org/view.php?id=CVE-2024-55876
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. • https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331 • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 35%CPEs: 2EXPL: 0CVE-2024-55662 – XWiki allows remote code execution through the extension sheet
https://notcve.org/view.php?id=CVE-2024-55662
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches ... • https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46978 – Missing checks for notification filter preferences editions in XWiki Platform
https://notcve.org/view.php?id=CVE-2024-46978
18 Sep 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. • https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4 • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46979 – Data leak of notification filters of users in XWiki Platform
https://notcve.org/view.php?id=CVE-2024-46979
18 Sep 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `
CVSS: 5.3EPSS: 48%CPEs: 2EXPL: 0CVE-2024-45591 – XWiki Platform document history including authors of any page exposed to unauthorized actors
https://notcve.org/view.php?id=CVE-2024-45591
10 Sep 2024 — XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing ... • https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 3%CPEs: 4EXPL: 0CVE-2024-43400 – XWiki Platform allows XSS through XClass name in string properties
https://notcve.org/view.php?id=CVE-2024-43400
19 Aug 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. • https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •