Latest Xwiki Vulnerabilities

XWiki Denial of Service attack through attachments
maven/org.xwiki.platform:xwiki-platform-distribution-war>=15.6-rc-1<15.8-rc-1
maven/org.xwiki.platform:xwiki-platform-distribution-war>=15.0-rc-1<15.5.3
maven/org.xwiki.platform:xwiki-platform-distribution-war>=14.10<14.10.18
Xwiki Xwiki>=14.10<14.10.18
Xwiki Xwiki>=15.5<15.5.3
Xwiki Xwiki>=15.6<15.8
XWiki has no right protection on rollback action
maven/org.xwiki.platform:xwiki-platform>=15.6-rc-1<15.8-rc-1
maven/org.xwiki.platform:xwiki-platform>=15.0-rc-1<15.5.3
maven/org.xwiki.platform:xwiki-platform-oldcore>=1.0<14.10.17
Xwiki Xwiki<14.10.17
Xwiki Xwiki>=15.0<15.5.3
Xwiki Xwiki>=15.6<15.8
XWiki Remote Code Execution vulnerability via user registration
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.6-rc-1<15.8-rc-1
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.3
maven/org.xwiki.platform:xwiki-platform-administration-ui>=2.2<14.10.17
Xwiki Xwiki<14.10.17
Xwiki Xwiki>=15.0<15.5.3
Xwiki Xwiki>=15.6<=15.7
Velocity execution without script right through tree macro
maven/org.xwiki.platform:xwiki-platform-index-tree-macro>=15.0-rc-1<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-index-tree-macro>=8.3-rc-1<14.10.7
Xwiki Xwiki>=8.3<14.10.7
Xwiki Xwiki>=15.0<15.2
XWiki Platform remote code execution/programming rights with configuration section from any user account
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-administration-ui>=2.3<14.10.15
Xwiki Xwiki>=2.3<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
XWiki Platform XSS/CSRF Remote Code Execution in XWiki.ConfigurableClass
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-administration-ui>=2.3<14.10.15
Xwiki Xwiki>=2.3<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
XWiki Platform RCE from account through SearchAdmin
maven/org.xwiki.platform:xwiki-platform-search-ui>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-search-ui>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-search-ui>=4.5-rc-1<14.10.15
Xwiki Xwiki>=4.5<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
XWiki Platform Solr search discloses password hashes of all users
Xwiki Xwiki>=7.3<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=7.2-milestone2
Xwiki Xwiki=7.2-milestone3
Xwiki Xwiki=15.6
Xwiki Xwiki=15.6-rc1
and 4 more
XWiki Platform Solr search discloses email addresses of users
maven/org.xwiki.platform:xwiki-platform-search-solr-api>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-search-solr-api>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-search-solr-api<14.10.15
Xwiki Xwiki<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
Data leak of password hash through xwiki change request
maven/org.xwiki.contrib.changerequest:application-changerequest-default>=0.1<1.10
XWiki Change Request>=0.1<1.10
XWiki Admin Tools Application CSRF with QueryOnXWiki allows arbitrary database queries
maven/org.xwiki.contrib:xwiki-application-admintools<4.5.1
Xwiki Xwiki<4.5.1
XWiki Admin Tools Application Run Shell Command allows CSRF RCE attacks
maven/org.xwiki.contrib:xwiki-application-admintools>=4.4<4.5.1
XWiki Admin Tools>=4.4<4.5.1
XWiki exposed whole content of all documents of all wikis to anybody with view right on Solr suggest service
maven/org.xwiki.platform:xwiki-platform-search-solr-query>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-search-solr-query>=6.3-milestone-2<14.10.15
Xwiki Xwiki>=6.4<14.10.5
Xwiki Xwiki>=15.0<15.5.1
Xwiki Xwiki=6.3-milestone2
Xwiki Xwiki=6.3-rc1
XWiki Platform sends cookies to external images in rendered diff and is vulnerable to server side request forgery
Xwiki Xwiki>=11.10.1<14.10.15
Xwiki Xwiki>=15.0<15.5.1
Xwiki Xwiki=15.6-rc1
maven/org.xwiki.platform:xwiki-platform-diff-xml>=15.6-rc-1<15.6
maven/org.xwiki.platform:xwiki-platform-diff-xml>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-diff-xml>=11.10.1<14.10.15
The same file cannot be opened with different rights
Xwiki Application-collabora<1.3
Code execution via the edit action in XWiki platform
Xwiki Xwiki>=1.0<14.10.6
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-oldcore>=1.0<14.10.6
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0<15.2-rc-1
Code injection in XWiki Platform
Xwiki Xwiki>=1.0<14.10.7
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-oldcore>=1.0<14.10.7
Privilege escalation in Xwiki platform
maven/org.xwiki.platform:xwiki-platform-display-api>=15.0<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-display-api>=3.2-milestone-3<14.10.7
Xwiki Xwiki>=3.3<14.10.7
Xwiki Xwiki>=15.0<15.2
Xwiki Xwiki=3.2-milestone3
Remote code execution through the section parameter in Administration as guest in XWiki Platform
maven/org.xwiki.platform:xwiki-platform-administration<14.10.14
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-administration-ui<14.10.14
Xwiki Xwiki<14.10.14
Xwiki Xwiki>=15.0<15.5.1
Reflected Cross-site scripting through revision parameter in content menu in XWiki Platform
maven/org.xwiki.platform:xwiki-platform-flamingo-skin-resources>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-flamingo-skin-resources>=9.7-rc-1<14.10.14
Xwiki Xwiki>=9.7<14.10.14
Xwiki Xwiki>=15.0<15.5.1
XWiki Platform XSS with edit right in the create document form for existing pages
maven/org.xwiki.platform:xwiki-platform-web>=3.1-milestone-2<13.4-rc-1
maven/org.xwiki.platform:xwiki-platform-web-templates>=15.0-rc-1<15.5-rc-1
maven/org.xwiki.platform:xwiki-platform-web-templates<14.10.12
Xwiki Xwiki>=3.1.1<13.4
Xwiki Xwiki>=14.0<14.10.12
Xwiki Xwiki>=15.0<15.5
and 2 more
XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled
Xwiki Xwiki>=12.0<14.10.12
Xwiki Xwiki>=15.0<15.5
Xwiki Xwiki=15.5-rc1
maven/org.xwiki.platform:xwiki-platform-web-templates>=15.0-rc-1<15.5-rc-1
maven/org.xwiki.platform:xwiki-platform-web-templates>=12.0-rc-1<14.10.12
XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title
Xwiki Xwiki>=7.3<14.10.12
Xwiki Xwiki>=15.0<15.5
Xwiki Xwiki=7.2-milestone2
Xwiki Xwiki=7.2-milestone3
maven/org.xwiki.platform:xwiki-platform-web>=7.2-milestone-2<14.10.12
maven/org.xwiki.platform:xwiki-platform-web-templates>=15.0-rc-1<15.5-rc-1
and 1 more
XWiki Platform XSS vulnerability from account in the create page form via template provider
Xwiki Xwiki>=3.1.1<13.4
Xwiki Xwiki>=14.10<14.10.2
Xwiki Xwiki=2.4-milestone2
Xwiki Xwiki=2.5-milestone2
Xwiki Xwiki=3.0
Xwiki Xwiki=3.0-milestone_2
and 12 more
org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter
Xwiki Xwiki>=3.5<14.10.8
Xwiki Xwiki>=15.0<15.3
maven/org.xwiki.platform:xwiki-platform-office-importer>=15.0-rc-1<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-office-importer>=3.5-milestone-1<14.10.8
XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro
Xwiki Xwiki-rendering<14.10.6
Xwiki Xwiki-rendering=15.0-rc1
maven/org.xwiki.platform:xwiki-core-rendering-macro-footnotes<14.10.6
maven/org.xwiki.rendering:xwiki-rendering-macro-footnotes>=15.0-rc-1<15.1-rc-1
maven/org.xwiki.rendering:xwiki-rendering-macro-footnotes<14.10.6
org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents
Xwiki Xwiki>9.4<=14.10.8
Xwiki Xwiki=9.4-rc1
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0-rc-1<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-oldcore>=9.4-rc-1<14.10.8
org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move
Xwiki Xwiki>=14.0<14.4.8
Xwiki Xwiki>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-attachment-api>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-attachment-api>=14.0-rc-1<14.4.8
Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet
Xwiki Xwiki>=5.1<14.10.8
maven/org.xwiki.platform:xwiki-platform-menu-ui>=15.0-rc-1<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-menu-ui>=5.1-rc-1<14.10.8
maven/org.xwiki.platform:xwiki-platform-menu>=5.1-rc-1<14.10.8
org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability
Xwiki Xwiki-rendering>=14.6<14.10.4
maven/org.xwiki.rendering:xwiki-rendering-xml>=14.6-rc-1<14.10.4
### Impact When login via the OAuth method, the identityOAuth parameters, sent in a GET request is vulnerable to XSS and XWiki syntax injection. This allows remote code execution via the groovy macro...
maven/com.xwiki.identity-oauth:identity-oauth-ui>=1.0<1.6
Xwiki Oauth Identity>=1.0<1.6
### Impact It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This v...
maven/org.xwiki.contrib.changerequest:application-changerequest-ui>=0.11<1.9.2
XWiki Change Request>=0.11<1.9.2
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XCl...
Xwiki Xwiki>=7.2<14.10.10
Xwiki Xwiki>=15.0<15.4
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0-rc-1<15.4-rc-1
maven/org.xwiki.platform:xwiki-platform-oldcore>=7.2<14.10.10
### Impact XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a doc...
maven/org.xwiki.platform:xwiki-platform-scheduler-api>=15.0-rc-1<15.4-rc-1
maven/com.xpn.xwiki.platform.plugins:xwiki-plugin-scheduler>=1.3
maven/org.xwiki.platform:xwiki-platform-scheduler-api<14.10.9
Xwiki Xwiki<14.10.9
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
and 6 more
### Impact The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, ...
Xwiki Xwiki<14.10.9
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
Xwiki Xwiki=15.2
and 3 more
### Impact Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. The problem i...
Xwiki Xwiki>=4.3.1<14.10.5
Xwiki Xwiki=4.3-milestone2
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
### Impact Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a d...
Xwiki Xwiki>=4.1.1<14.10.5
Xwiki Xwiki=4.1-milestone2
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy...
Xwiki Xwiki>=2.5<14.4.8
Xwiki Xwiki>=14.5.0<14.10.6
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=15.0-rc-1<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=14.5<14.10.6
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=2.5-m-1<14.4.8
XWiki Platform's obfuscated email addresses should not be sorted
maven/org.xwiki.platform:xwiki-platform-livetable-ui>=15.0<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-livetable-ui>=3.5-milestone-1<14.10.9
Xwiki Xwiki>=3.5<14.10.9
### Impact Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is poss...
Xwiki Xwiki>=7.0<14.4.8
Xwiki Xwiki>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-skin-ui>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-skin-ui>=7.0-rc-1<14.4.8
### Impact The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regu...
Xwiki Xwiki>=1.8<14.10.8
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-rest-server>=15.0-rc-1<15.2
maven/com.xpn.xwiki.platform:xwiki-rest>=1.8<14.10.8
maven/com.xpn.xwiki.platform:xwiki-core-rest-server>=1.8<14.10.8
maven/org.xwiki.platform:xwiki-platform-rest-server>=1.8<14.10.8
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to...
Xwiki Ckeditor Integration>=1.9<1.64.9
Xwiki Xwiki>=14.6<14.10.6
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
maven/org.xwiki.platform:xwiki-platform-ckeditor-ui>=15.0-rc-1<15.1
maven/org.xwiki.contrib:application-ckeditor-ui>=1.9<1.64.9
and 1 more
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary sc...
Xwiki Xwiki>=9.6<14.10.6
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
maven/org.xwiki.platform:xwiki-platform-notifications-ui>=15.0-rc-1<15.2-rc-1
and 1 more
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By either creating a new or editing an existing document with an icon set, an attacker can inje...
Xwiki Xwiki>=6.2<14.10.6
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
maven/org.xwiki.platform:xwiki-platform-icon-ui>=15.0-rc-1<15.2-rc-1
and 5 more
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document,...
Xwiki Xwiki>=2.0<14.10.7
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0-rc-1<15.2-rc-1
and 1 more
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki...
XWiki Commons>=14.6<14.10.6
XWiki Commons=15.0
XWiki Commons=15.0-rc1
XWiki Commons=15.1
XWiki Commons=15.1-rc1
maven/org.xwiki.commons:xwiki-commons-xml>=15.0-rc-1<15.2-rc-1
and 1 more
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). ...
Xwiki Xwiki<14.4.8
Xwiki Xwiki>=14.10<14.10.4
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). ...
Xwiki Xwiki>=9.4<14.10.5
Xwiki Xwiki=9.4
Xwiki Xwiki=9.4-rc-1
Xwiki Xwiki=15.0
Xwiki Xwiki>=5.4.4<14.4.8
Xwiki Xwiki>=14.10<14.10.4
Xwiki Xwiki=15.0-rc1
XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently...
Xwiki Xwiki>=11.8.1<14.4.8
Xwiki Xwiki>=14.10<14.10.6
Xwiki Xwiki=11.8-milestone1
Xwiki Xwiki=15.0

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203