CVSS: 8.7EPSS: 0%CPEs: 3EXPL: 0CVE-2025-54125 – XWiki Platform: Password and email exposure in xml.vm fields
https://notcve.org/view.php?id=CVE-2025-54125
05 Aug 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7... • https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-54124 – XWiki Platform: Any user with editing rights can access password properties through Database List Properties
https://notcve.org/view.php?id=CVE-2025-54124
05 Aug 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, thi... • https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 3%CPEs: 3EXPL: 0CVE-2025-32430 – XWiki Platform contains Reflected XSS vulnerability in two templates
https://notcve.org/view.php?id=CVE-2025-32430
05 Aug 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. Th... • https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52131
https://notcve.org/view.php?id=CVE-2025-52131
03 Aug 2025 — The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field. La aplicación Mocca Calendar para XWiki anterior a 2.15 permite XSS a través del campo de color de fondo o de texto. • https://extensions.xwiki.org/xwiki/bin/view/Extension/MoccaCalendar • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52132
https://notcve.org/view.php?id=CVE-2025-52132
03 Aug 2025 — The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page. La aplicación Mocca Calendar para XWiki anterior a 2.15 permite XSS a través de un título en la página de visualización de eventos. • https://extensions.xwiki.org/xwiki/bin/view/Extension/MoccaCalendar • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52133
https://notcve.org/view.php?id=CVE-2025-52133
03 Aug 2025 — The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import. La aplicación Mocca Calendar para XWiki anterior a 2.15 permite XSS a través de un título al importar el calendario. • https://extensions.xwiki.org/xwiki/bin/view/Extension/MoccaCalendar • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-54385 – XWiki Platform's searchDocuments API allows for SQL injection
https://notcve.org/view.php?id=CVE-2025-54385
26 Jul 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in ot... • https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2025-32429 – XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
https://notcve.org/view.php?id=CVE-2025-32429
24 Jul 2025 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones desarrolladas sobre ella. • https://packetstorm.news/files/id/207536 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.9EPSS: 1%CPEs: 3EXPL: 0CVE-2025-53836 – XWiki Rendering is vulnerable to RCE attacks when processing nested macros
https://notcve.org/view.php?id=CVE-2025-53836
14 Jul 2025 — XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that a... • https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53835 – XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax
https://notcve.org/view.php?id=CVE-2025-53835
14 Jul 2025 — XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version... • https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •