Lucene search
K

4966 matches found

Github Security Blog
Github Security Blog
added 2025/06/13 8:42 p.m.15 views

XWiki makes title of inaccessible pages available through the class property values REST API

Impact The title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per reques...

8.7CVSS6.3AI score0.00375EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2025/06/13 8:42 p.m.4 views

GHSA-MVP5-QX9C-C3FV XWiki makes title of inaccessible pages available through the class property values REST API

Impact The title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per reques...

8.7CVSS6.9AI score0.00375EPSS
Exploits1References5
NVD
NVD
added 2025/06/13 6:15 p.m.17 views

CVE-2025-49584

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

8.7CVSS0.00375EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2025/06/13 5:21 p.m.10 views

CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

8.7CVSS6.4AI score0.00375EPSS
Exploits1References3
CVE
CVE
added 2025/06/13 5:21 p.m.88 views

CVE-2025-49584

CVE-2025-49584 (XWiki) affects XWiki Platform versions 10.9–16.4.6, 16.5.0-rc-1–16.10.2, and 17.0.0-rc-1. The REST API can disclose the titles of pages whose reference is known when an XClass with a page property is accessible, potentially leaking page names. Impact on confidentiality is task-dep...

8.7CVSS6.4AI score0.00375EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2025/06/13 5:21 p.m.4 views

CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

8.7CVSS6.4AI score0.00375EPSS
Exploits1References5
Cvelist
Cvelist
added 2025/06/13 5:21 p.m.15 views

CVE-2025-49584 XWiki makes title of inaccessible pages available through the class property values REST API

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default...

8.7CVSS0.00375EPSS
Exploits1References3
Patchstack
Patchstack
added 2025/06/13 6:41 a.m.34 views

WordPress REST API | Custom API Generator For Cross Platform And Import Export In WP plugin <= 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function vulnerability

Missing Authorization to Unauthenticated Privilege Escalation via processhandler Function vulnerability discovered by kr0d in WordPress Plugin REST API | Custom API Generator For Cross Platform And Import Export In WP versions = 2.0.3...

9.8CVSS6.7AI score0.00532EPSS
Exploits1References1Affected Software1
Vulnrichment
Vulnrichment
added 2025/06/13 1:47 a.m.11 views

CVE-2025-5288 REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function

The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the processhandler function in versions 1.0.0 to 2.0.3. This makes it possible for unauthenticated attackers to POST an...

9.8CVSS7.2AI score0.00532EPSS
Exploits1References3
CVE
CVE
added 2025/06/13 1:47 a.m.99 views

CVE-2025-5288

The CVE-2025-5288 entry concerns the WordPress REST API plugin “Custom API Generator For Cross Platform And Import Export In WP” (versions 1.0.0–2.0.3). The root cause is a missing capability check in the process_handler() function, enabling unauthenticated attackers to POST an arbitrary import_a...

9.8CVSS9.4AI score0.00532EPSS
Exploits1References3
CNNVD
CNNVD
added 2025/06/13 12:0 a.m.8 views

WordPress plugin REST API | Custom API Generator For Cross Platform And Import Export In WP 安全漏洞

WordPress and WordPress plugin are products of the WordPress Foundation, a blogging platform developed in PHP. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress plugin REST API | Custom API Generator For Cross Platform And Impo...

9.8CVSS8.2AI score0.00532EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2025/06/13 12:0 a.m.5 views

PT-2025-25436 · Unknown · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 10.9 through 16.4.6 XWiki Platform versions 16.5.0-rc-1 through 16.10.2 XWiki Platform versions 17.0.0-rc-1 Description: The issue affects XWiki, a generic wiki platform, where an attacker can access the title of every...

8.7CVSS6.2AI score0.00375EPSS
Exploits1References11
Github Security Blog
Github Security Blog
added 2025/06/12 9:52 p.m.37 views

XWiki allows SQL injection in query endpoint of REST API with Oracle

Impact It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Patches This has been patched ...

9.8CVSS6.8AI score0.00431EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2025/06/12 9:52 p.m.5 views

GHSA-PRWH-7838-XF82 XWiki allows SQL injection in query endpoint of REST API with Oracle

Impact It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Patches This has been patched ...

9.3CVSS7.4AI score0.00431EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2025/06/12 3:21 p.m.6 views

CVE-2025-27505

GeoServer is an open source server that allows users to share and edit geospatial data. It is possible to bypass the default REST API security and access the index page. The REST API security handles rest and its subpaths but not rest with an extension e.g., rest.html. The REST API index can...

5.3CVSS5.1AI score0.01022EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/06/12 2:56 p.m.29 views

CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Thi...

9.3CVSS0.00431EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/06/12 2:56 p.m.20 views

CVE-2024-56158 XWiki allows SQL injection in query endpoint of REST API with Oracle

XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Thi...

9.3CVSS7.4AI score0.00431EPSS
Exploits0References3
NVD
NVD
added 2025/06/12 2:15 p.m.17 views

CVE-2025-49183

All communication with the REST API is unencrypted HTTP, allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files...

7.5CVSS0.00261EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2025/06/12 1:21 p.m.5 views

CVE-2025-49183 Unencrypted communication (HTTP)

All communication with the REST API is unencrypted HTTP, allowing an attacker to intercept traffic between an actor and the webserver. This leads to the possibility of information gathering and downloading media files...

7.5CVSS7.4AI score0.00261EPSS
Exploits0References6
CVE
CVE
added 2025/06/12 1:21 p.m.68 views

CVE-2025-49183

CVE-2025-49183 affects SICK Field Analytics and SICK Media Server. Root cause: unencrypted REST API communications over HTTP allow an attacker to intercept traffic, enabling information gathering and potential media-file downloads. Impact is described as confidentiality concerns (information disc...

7.5CVSS6.8AI score0.00261EPSS
Exploits0References6Affected Software1
Rows per page
Query Builder