10 matches found
CVE-2025-54990
XWiki AdminTools integrates administrative tools for managing a running XWiki instance. Prior to version 1.1, users without admin rights have access to AdminTools.SpammedPages. View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin...
XWiki AdminTools application doesn't set permissions on the AdminTools space
Impact Users without admin rights have access to AdminTools.SpammedPages. Details View rights are not restricted only to admin users for AdminTools.SpammedPages. While no data is visible to non admin users, the page is still accessible. Workarounds Set the view rights for the AdminTools space to ...
CVE-2023-36477 Persistent Cross-site Scripting (XSS) through CKEditor Configuration pages in XWiki Platform
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents, leading to loss of...
CVE-2023-34465 XWiki Platform's Mail.MailConfig can be edited by any user with edit rights
XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, Mail.MailConfig can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending...
XWiki Platform's Mail.MailConfig can be edited by any user with edit rights
Impact Mail.MailConfig can be edited by any logged-in user by default. Consequently, they can: - change the mail obfuscation configuration - view and edit the mail sending configuration, including the smtp domain name and credentials. Patches The problem has been patched on XWiki 14.4.8, 15.1, an...
GHSA-G75C-CJR6-39MC XWiki Platform's Mail.MailConfig can be edited by any user with edit rights
Impact Mail.MailConfig can be edited by any logged-in user by default. Consequently, they can: - change the mail obfuscation configuration - view and edit the mail sending configuration, including the smtp domain name and credentials. Patches The problem has been patched on XWiki 14.4.8, 15.1, an...
CVE-2022-39387
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWi...
GHSA-M7GV-V8XX-V47W XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider
Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the...
XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider
Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the...
CVE-2022-39387 XWiki OIDC Authenticator vulnerable to OpenID login bypass due to improper authentication
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWi...