4966 matches found
XWiki makes title of inaccessible pages available through the class property values REST API
Impact The title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per reques...
GHSA-MVP5-QX9C-C3FV XWiki makes title of inaccessible pages available through the class property values REST API
Impact The title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per reques...
CVE-2025-49584
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...
CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...
CVE-2025-49584
CVE-2025-49584 (XWiki) affects XWiki Platform versions 10.9–16.4.6, 16.5.0-rc-1–16.10.2, and 17.0.0-rc-1. The REST API can disclose the titles of pages whose reference is known when an XClass with a page property is accessible, potentially leaking page names. Impact on confidentiality is task-dep...
CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...
CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...
WordPress REST API | Custom API Generator For Cross Platform And Import Export In WP plugin <= 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function vulnerability
Missing Authorization to Unauthenticated Privilege Escalation via processhandler Function vulnerability discovered by kr0d in WordPress Plugin REST API | Custom API Generator For Cross Platform And Import Export In WP versions = 2.0.3...
CVE-2025-5288 REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function
The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the processhandler function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an...
CVE-2025-5288
The CVE-2025-5288 entry concerns the WordPress REST API plugin “Custom API Generator For Cross Platform And Import Export In WP” (versions 1.0.0–2.0.3). The root cause is a missing capability check in the process_handler() function, enabling unauthenticated attackers to POST an arbitrary import_a...
WordPress plugin REST API | Custom API Generator For Cross Platform And Import Export In WP 安全漏洞
WordPress and WordPress plugin are products of the WordPress Foundation, a blogging platform developed in PHP. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress plugin REST API | Custom API Generator For Cross Platform And Impo...
PT-2025-25436 · Unknown · Xwiki Platform
Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 10.9 through 16.4.6 XWiki Platform versions 16.5.0-rc-1 through 16.10.2 XWiki Platform versions 17.0.0-rc-1 Description: The issue affects XWiki, a generic wiki platform, where an attacker can access the title of every...
XWiki allows SQL injection in query endpoint of REST API with Oracle
Impact It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Patches This has been patched ...
GHSA-PRWH-7838-XF82 XWiki allows SQL injection in query endpoint of REST API with Oracle
Impact It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Patches This has been patched ...
CVE-2025-27505
GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. The REST API index can...
CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Thi...
CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Thi...
CVE-2025-49183
All communication with the REST API is unencrypted HTTP, allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files...
CVE-2025-49183 Unencrypted communication (HTTP)
All communication with the REST API is unencrypted HTTP, allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files...
CVE-2025-49183
CVE-2025-49183 affects SICK Field Analytics and SICK Media Server. Root cause: unencrypted REST API communications over HTTP allow an attacker to intercept traffic, enabling information gathering and potential media-file downloads. Impact is described as confidentiality concerns (information disc...