Latest Xwiki Vulnerabilities

CVE-2024-38369
XWiki programming rights may be inherited by inclusion
maven/org.xwiki.platform:xwiki-platform-rendering-macro-include<15.0-rc-1
Xwiki Xwiki>=1.5<15.0
CVE-2024-21651
XWiki Denial of Service attack through attachments
maven/org.xwiki.platform:xwiki-platform-distribution-war>=15.6-rc-1<15.8-rc-1
maven/org.xwiki.platform:xwiki-platform-distribution-war>=15.0-rc-1<15.5.3
maven/org.xwiki.platform:xwiki-platform-distribution-war>=14.10<14.10.18
Xwiki Xwiki>=14.10<14.10.18
Xwiki Xwiki>=15.5<15.5.3
Xwiki Xwiki>=15.6<15.8
CVE-2024-21648
XWiki has no right protection on rollback action
maven/org.xwiki.platform:xwiki-platform>=15.6-rc-1<15.8-rc-1
maven/org.xwiki.platform:xwiki-platform>=15.0-rc-1<15.5.3
maven/org.xwiki.platform:xwiki-platform-oldcore>=1.0<14.10.17
Xwiki Xwiki<14.10.17
Xwiki Xwiki>=15.0<15.5.3
Xwiki Xwiki>=15.6<15.8
CVE-2024-21650
XWiki Remote Code Execution vulnerability via user registration
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.6-rc-1<15.8-rc-1
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.3
maven/org.xwiki.platform:xwiki-platform-administration-ui>=2.2<14.10.17
Xwiki Xwiki<14.10.17
Xwiki Xwiki>=15.0<15.5.3
Xwiki Xwiki>=15.6<=15.7
CVE-2023-50732
Velocity execution without script right through tree macro
maven/org.xwiki.platform:xwiki-platform-index-tree-macro>=15.0-rc-1<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-index-tree-macro>=8.3-rc-1<14.10.7
Xwiki Xwiki>=8.3<14.10.7
Xwiki Xwiki>=15.0<15.2
CVE-2023-50723
XWiki Platform remote code execution/programming rights with configuration section from any user account
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-administration-ui>=2.3<14.10.15
Xwiki Xwiki>=2.3<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
CVE-2023-50722
XWiki Platform XSS/CSRF Remote Code Execution in XWiki.ConfigurableClass
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-administration-ui>=2.3<14.10.15
Xwiki Xwiki>=2.3<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
CVE-2023-50721
XWiki Platform RCE from account through SearchAdmin
maven/org.xwiki.platform:xwiki-platform-search-ui>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-search-ui>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-search-ui>=4.5-rc-1<14.10.15
Xwiki Xwiki>=4.5<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
CVE-2023-50719
XWiki Platform Solr search discloses password hashes of all users
Xwiki Xwiki>=7.3<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=7.2-milestone2
Xwiki Xwiki=7.2-milestone3
Xwiki Xwiki=15.6
Xwiki Xwiki=15.6-rc1
and 4 more
CVE-2023-50720
XWiki Platform Solr search discloses email addresses of users
maven/org.xwiki.platform:xwiki-platform-search-solr-api>=15.6-rc-1<15.7-rc-1
maven/org.xwiki.platform:xwiki-platform-search-solr-api>=15.0-rc-1<15.5.2
maven/org.xwiki.platform:xwiki-platform-search-solr-api<14.10.15
Xwiki Xwiki<14.10.5
Xwiki Xwiki>=15.0<15.5.2
Xwiki Xwiki=15.6
and 2 more
CVE-2023-49280
Data leak of password hash through xwiki change request
maven/org.xwiki.contrib.changerequest:application-changerequest-default>=0.1<1.10
XWiki Change Request>=0.1<1.10
CVE-2023-48293
XWiki Admin Tools Application CSRF with QueryOnXWiki allows arbitrary database queries
maven/org.xwiki.contrib:xwiki-application-admintools<4.5.1
Xwiki Xwiki<4.5.1
CVE-2023-48292
XWiki Admin Tools Application Run Shell Command allows CSRF RCE attacks
maven/org.xwiki.contrib:xwiki-application-admintools>=4.4<4.5.1
XWiki Admin Tools>=4.4<4.5.1
CVE-2023-48241
XWiki exposed whole content of all documents of all wikis to anybody with view right on Solr suggest service
maven/org.xwiki.platform:xwiki-platform-search-solr-query>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-search-solr-query>=6.3-milestone-2<14.10.15
Xwiki Xwiki>=6.4<14.10.5
Xwiki Xwiki>=15.0<15.5.1
Xwiki Xwiki=6.3-milestone2
Xwiki Xwiki=6.3-rc1
CVE-2023-48240
XWiki Platform sends cookies to external images in rendered diff and is vulnerable to server side request forgery
Xwiki Xwiki>=11.10.1<14.10.15
Xwiki Xwiki>=15.0<15.5.1
Xwiki Xwiki=15.6-rc1
maven/org.xwiki.platform:xwiki-platform-diff-xml>=15.6-rc-1<15.6
maven/org.xwiki.platform:xwiki-platform-diff-xml>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-diff-xml>=11.10.1<14.10.15
CVE-2023-46743
The same file cannot be opened with different rights
Xwiki Application-collabora<1.3
CVE-2023-46243
Code execution via the edit action in XWiki platform
Xwiki Xwiki>=1.0<14.10.6
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-oldcore>=1.0<14.10.6
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0<15.2-rc-1
CVE-2023-46242
Code injection in XWiki Platform
Xwiki Xwiki>=1.0<14.10.7
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-oldcore>=1.0<14.10.7
CVE-2023-46244
Privilege escalation in Xwiki platform
maven/org.xwiki.platform:xwiki-platform-display-api>=15.0<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-display-api>=3.2-milestone-3<14.10.7
Xwiki Xwiki>=3.3<14.10.7
Xwiki Xwiki>=15.0<15.2
Xwiki Xwiki=3.2-milestone3
CVE-2023-46731
Remote code execution through the section parameter in Administration as guest in XWiki Platform
maven/org.xwiki.platform:xwiki-platform-administration<14.10.14
maven/org.xwiki.platform:xwiki-platform-administration-ui>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-administration-ui<14.10.14
Xwiki Xwiki<14.10.14
Xwiki Xwiki>=15.0<15.5.1
CVE-2023-46732
Reflected Cross-site scripting through revision parameter in content menu in XWiki Platform
maven/org.xwiki.platform:xwiki-platform-flamingo-skin-resources>=15.0-rc-1<15.5.1
maven/org.xwiki.platform:xwiki-platform-flamingo-skin-resources>=9.7-rc-1<14.10.14
Xwiki Xwiki>=9.7<14.10.14
Xwiki Xwiki>=15.0<15.5.1
CVE-2023-45137
XWiki Platform XSS with edit right in the create document form for existing pages
maven/org.xwiki.platform:xwiki-platform-web>=3.1-milestone-2<13.4-rc-1
maven/org.xwiki.platform:xwiki-platform-web-templates>=15.0-rc-1<15.5-rc-1
maven/org.xwiki.platform:xwiki-platform-web-templates<14.10.12
Xwiki Xwiki>=3.1.1<13.4
Xwiki Xwiki>=14.0<14.10.12
Xwiki Xwiki>=15.0<15.5
and 2 more
CVE-2023-45136
XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled
Xwiki Xwiki>=12.0<14.10.12
Xwiki Xwiki>=15.0<15.5
Xwiki Xwiki=15.5-rc1
maven/org.xwiki.platform:xwiki-platform-web-templates>=15.0-rc-1<15.5-rc-1
maven/org.xwiki.platform:xwiki-platform-web-templates>=12.0-rc-1<14.10.12
CVE-2023-45135
XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title
Xwiki Xwiki>=7.3<14.10.12
Xwiki Xwiki>=15.0<15.5
Xwiki Xwiki=7.2-milestone2
Xwiki Xwiki=7.2-milestone3
maven/org.xwiki.platform:xwiki-platform-web>=7.2-milestone-2<14.10.12
maven/org.xwiki.platform:xwiki-platform-web-templates>=15.0-rc-1<15.5-rc-1
and 1 more
CVE-2023-45134
XWiki Platform XSS vulnerability from account in the create page form via template provider
Xwiki Xwiki>=3.1.1<13.4
Xwiki Xwiki>=14.10<14.10.2
Xwiki Xwiki=2.4-milestone2
Xwiki Xwiki=2.5-milestone2
Xwiki Xwiki=3.0
Xwiki Xwiki=3.0-milestone_2
and 12 more
CVE-2023-37913
org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter
Xwiki Xwiki>=3.5<14.10.8
Xwiki Xwiki>=15.0<15.3
maven/org.xwiki.platform:xwiki-platform-office-importer>=15.0-rc-1<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-office-importer>=3.5-milestone-1<14.10.8
CVE-2023-37912
XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro
Xwiki Xwiki-rendering<14.10.6
Xwiki Xwiki-rendering=15.0-rc1
maven/org.xwiki.platform:xwiki-core-rendering-macro-footnotes<14.10.6
maven/org.xwiki.rendering:xwiki-rendering-macro-footnotes>=15.0-rc-1<15.1-rc-1
maven/org.xwiki.rendering:xwiki-rendering-macro-footnotes<14.10.6
CVE-2023-37911
org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents
Xwiki Xwiki>9.4<=14.10.8
Xwiki Xwiki=9.4-rc1
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0-rc-1<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-oldcore>=9.4-rc-1<14.10.8
CVE-2023-37910
org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move
Xwiki Xwiki>=14.0<14.4.8
Xwiki Xwiki>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-attachment-api>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-attachment-api>=14.0-rc-1<14.4.8
CVE-2023-37909
Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet
Xwiki Xwiki>=5.1<14.10.8
maven/org.xwiki.platform:xwiki-platform-menu-ui>=15.0-rc-1<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-menu-ui>=5.1-rc-1<14.10.8
maven/org.xwiki.platform:xwiki-platform-menu>=5.1-rc-1<14.10.8
CVE-2023-37908
org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability
Xwiki Xwiki-rendering>=14.6<14.10.4
maven/org.xwiki.rendering:xwiki-rendering-xml>=14.6-rc-1<14.10.4
CVE-2023-45144
### Impact When login via the OAuth method, the identityOAuth parameters, sent in a GET request is vulnerable to XSS and XWiki syntax injection. This allows remote code execution via the groovy macro...
maven/com.xwiki.identity-oauth:identity-oauth-ui>=1.0<1.6
Xwiki Oauth Identity>=1.0<1.6
CVE-2023-45138
### Impact It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This v...
maven/org.xwiki.contrib.changerequest:application-changerequest-ui>=0.11<1.9.2
XWiki Change Request>=0.11<1.9.2
CVE-2023-41046
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XCl...
Xwiki Xwiki>=7.2<14.10.10
Xwiki Xwiki>=15.0<15.4
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0-rc-1<15.4-rc-1
maven/org.xwiki.platform:xwiki-platform-oldcore>=7.2<14.10.10
CVE-2023-40573
### Impact XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a doc...
maven/org.xwiki.platform:xwiki-platform-scheduler-api>=15.0-rc-1<15.4-rc-1
maven/com.xpn.xwiki.platform.plugins:xwiki-plugin-scheduler>=1.3
maven/org.xwiki.platform:xwiki-platform-scheduler-api<14.10.9
Xwiki Xwiki<14.10.9
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
and 6 more
CVE-2023-40572
### Impact The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, ...
Xwiki Xwiki<14.10.9
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
Xwiki Xwiki=15.2
and 3 more
CVE-2023-40177
### Impact Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. The problem i...
Xwiki Xwiki>=4.3.1<14.10.5
Xwiki Xwiki=4.3-milestone2
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
CVE-2023-40176
### Impact Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a d...
Xwiki Xwiki>=4.1.1<14.10.5
Xwiki Xwiki=4.1-milestone2
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
CVE-2023-37914
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy...
Xwiki Xwiki>=2.5<14.4.8
Xwiki Xwiki>=14.5.0<14.10.6
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=15.0-rc-1<15.2-rc-1
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=14.5<14.10.6
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=2.5-m-1<14.4.8
CVE-2023-38509
XWiki Platform's obfuscated email addresses should not be sorted
maven/org.xwiki.platform:xwiki-platform-livetable-ui>=15.0<15.3-rc-1
maven/org.xwiki.platform:xwiki-platform-livetable-ui>=3.5-milestone-1<14.10.9
Xwiki Xwiki>=3.5<14.10.9
CVE-2023-37462
### Impact Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is poss...
Xwiki Xwiki>=7.0<14.4.8
Xwiki Xwiki>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-skin-ui>=14.5<14.10.4
maven/org.xwiki.platform:xwiki-platform-skin-ui>=7.0-rc-1<14.4.8
CVE-2023-37277
### Impact The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regu...
Xwiki Xwiki>=1.8<14.10.8
Xwiki Xwiki>=15.0<15.2
maven/org.xwiki.platform:xwiki-platform-rest-server>=15.0-rc-1<15.2
maven/com.xpn.xwiki.platform:xwiki-rest>=1.8<14.10.8
maven/com.xpn.xwiki.platform:xwiki-core-rest-server>=1.8<14.10.8
maven/org.xwiki.platform:xwiki-platform-rest-server>=1.8<14.10.8
CVE-2023-36477
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to...
Xwiki Ckeditor Integration>=1.9<1.64.9
Xwiki Xwiki>=14.6<14.10.6
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
maven/org.xwiki.platform:xwiki-platform-ckeditor-ui>=15.0-rc-1<15.1
maven/org.xwiki.contrib:application-ckeditor-ui>=1.9<1.64.9
and 1 more
CVE-2023-36470
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By either creating a new or editing an existing document with an icon set, an attacker can inje...
Xwiki Xwiki>=6.2<14.10.6
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
maven/org.xwiki.platform:xwiki-platform-icon-ui>=15.0-rc-1<15.2-rc-1
and 5 more
CVE-2023-36468
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document,...
Xwiki Xwiki>=2.0<14.10.7
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
maven/org.xwiki.platform:xwiki-platform-oldcore>=15.0-rc-1<15.2-rc-1
and 1 more
CVE-2023-36469
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary sc...
Xwiki Xwiki>=9.6<14.10.6
Xwiki Xwiki=15.0
Xwiki Xwiki=15.0-rc1
Xwiki Xwiki=15.1
Xwiki Xwiki=15.1-rc1
maven/org.xwiki.platform:xwiki-platform-notifications-ui>=15.0-rc-1<15.2-rc-1
and 1 more
CVE-2023-36471
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki...
XWiki Commons>=14.6<14.10.6
XWiki Commons=15.0
XWiki Commons=15.0-rc1
XWiki Commons=15.1
XWiki Commons=15.1-rc1
maven/org.xwiki.commons:xwiki-commons-xml>=15.0-rc-1<15.2-rc-1
and 1 more
CVE-2023-35155
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). ...
Xwiki Xwiki<14.4.8
Xwiki Xwiki>=14.10<14.10.4
CVE-2023-35158
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). ...
Xwiki Xwiki>=9.4<14.10.5
Xwiki Xwiki=9.4
Xwiki Xwiki=9.4-rc-1
Xwiki Xwiki=15.0
CVE-2023-35153
Xwiki Xwiki>=5.4.4<14.4.8
Xwiki Xwiki>=14.10<14.10.4
Xwiki Xwiki=15.0-rc1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203