Lucene search
K

33 matches found

RedhatCVE
RedhatCVE
added 2026/01/09 9:0 a.m.7 views

CVE-2023-29214

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the...

9.9CVSS7.4AI score0.01193EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2025-18299

Malicious code in bioql PyPI...

8.6CVSS6.3AI score0.0036EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-12743

Malicious code in bioql PyPI...

3.8CVSS6.4AI score0.00334EPSS
Exploits1References5
OSV
OSV
added 2025/08/05 5:13 p.m.7 views

GHSA-57Q2-6CP4-9MQ3 XWiki exposes passwords and emails stored in fields not named password/email in xml.vm

Impact The XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This allows any user to obtain the salted and hashed user accou...

8.7CVSS6.3AI score0.01285EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/08/05 5:12 p.m.14 views

XWiki leaks password hashes and other accessible password properties

Impact Any user with edit right on a page of the wiki can create an XClass with a database list property that references a password property, for example the password hash that is stored for users. When adding an object of that XClass, the content of that password property is displayed. In...

7.1CVSS6.8AI score0.00425EPSS
Exploits1References5Affected Software2
OpenVAS
OpenVAS
added 2025/07/18 12:0 a.m.3 views

XWiki 11.10.11 < 16.4.7, 16.5.0-rc-1 < 16.10.3, 17.0.0-rc-1 < 17.0.0 RCE Vulnerability (GHSA-9875-cw22-f7cx)

Xwiki is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...

8.8CVSS6.5AI score0.00489EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/06/15 5:19 p.m.4 views

CVE-2025-49582

XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are...

8.6CVSS7.3AI score0.00717EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2025/06/13 8:38 p.m.17 views

XWiki's required right warnings for macros are incomplete

Impact When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an...

8.6CVSS7.2AI score0.00717EPSS
Exploits1References11Affected Software4
CVE
CVE
added 2025/06/13 5:51 p.m.63 views

CVE-2025-49587

Summary (CVE-2025-49587) : XWiki Platform is vulnerable to reflected XSS when a user without script rights creates a document containing an XWiki.Notifications.Code.NotificationDisplayerClass object, and an admin later edits and saves the document. The potentially malicious object content is outp...

8CVSS5.8AI score0.0036EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2025/06/13 5:33 p.m.59 views

CVE-2025-49585

XWiki vulnerability CVE-2025-49585 affects multiple pre-patched releases: before 15.10.16, 16.0.0-rc-1 → 16.4.6, and 16.5.0-rc-1 → 16.10.1. An attacker with no script/programming rights can create an XClass definition (requires edit rights), and if the same document is later edited by someone wit...

8.6CVSS6.5AI score0.0036EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2025/06/13 4:41 p.m.80 views

CVE-2025-49582

XWiki platform is affected by a remote code execution risk due to incomplete required-right analyzers for dangerous macros. The issue allows a page to include Groovy or Python macros hidden by a user with lower privileges, which could be executed when another user with higher rights edits the pag...

8.6CVSS7.4AI score0.00717EPSS
Exploits1References9Affected Software1
Vulnrichment
Vulnrichment
added 2025/06/13 4:41 p.m.6 views

CVE-2025-49582 XWiki's required right warnings for macros are incomplete

XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are...

8.6CVSS7.4AI score0.00717EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2025/06/13 12:0 a.m.9 views

PT-2025-25438 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.3 XWiki versions prior to 17.0.0 Description: The issue allows any XWiki user with edit rights on at least one App Within Minutes application to obtain programming rights and perfor...

8.7CVSS7.2AI score0.00641EPSS
Exploits1References13
RedhatCVE
RedhatCVE
added 2025/05/23 7:40 a.m.13 views

CVE-2024-31465

XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.20, 15.5.4, and 15.9-rc-1, any user with edit right on any page can execute any code on the server by adding an object of type XWiki.SearchSuggestSourceClass to their user profile or any other page...

9.9CVSS7.1AI score0.75575EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:29 a.m.9 views

CVE-2023-36471

Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishi...

9CVSS7.4AI score0.01021EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 6:52 p.m.7 views

CVE-2021-43841

XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that...

5.4CVSS6.7AI score0.0087EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/22 3:55 p.m.11 views

CVE-2020-13654

XWiki Platform before 12.8 mishandles escaping in the property displayer...

7.5CVSS6.8AI score0.01884EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2025/05/21 6:32 p.m.8 views

CVE-2006-7223

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifyi...

6.5CVSS7.8AI score0.01507EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/05/21 5:38 p.m.15 views

CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are...

4.8CVSS7.4AI score0.0078EPSS
Exploits1References3
OSV
OSV
added 2025/05/21 5:38 p.m.19 views

CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are...

4.8CVSS7.5AI score0.0078EPSS
Exploits1References5
Rows per page
Query Builder