16 matches found
GHSA-XQ3R-2QV5-VQQM XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Impact It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false. This can apparently be reproduced on Tomcat instances. Patches This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9,...
XWiki Platform has path traversal via resources parameter in ssx and jsx endpoints when using leading slash
Impact It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false. This can apparently be reproduced on Tomcat instances. Patches This has been patched in 18.0.0-rc-1, 17.10.3, 17.4.9,...
CVE-2026-23734
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...
EUVD-2026-31152
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...
CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...
CVE-2026-23734
XWiki Platform suffers a Path Traversal vulnerability in which configuration files can be read via the resources parameter on the ssx and jsx endpoints using a leading slash (e.g., /../../WEB-INF/xwiki.cfg). Affected releases:
CVE-2026-23734 XWiki Platform: Path traversal via resources parameter in ssx and jsx endpoints when using leading slash
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...
CVE-2026-23734
XWiki Platform is a generic wiki platform. Versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17 allow access to read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg&minify=false, leading to Path Traversal. The...
PT-2026-42215
Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 18.1.0-rc-1 XWiki Platform versions prior to 17.10.3 XWiki Platform versions prior to 17.4.9 XWiki Platform versions prior to 16.10.17 Description Path Traversal allows unauthorized access to read configuration...
EUVD-2022-1741
Malicious code in bioql PyPI...
CVE-2022-24821
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But ...
CVE-2023-29206 org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a...
CVE-2022-24821
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But ...
CVE-2022-24821
XWiki Platform is affected by CVE-2022-24821: a bug in privileged API use allows users with edit rights (not programming rights) to create global SSX/JSX executed across the wiki. Affected components are the XWiki platform as described in the CVE entry; root cause is improper enforcement of acces...
CVE-2022-24821 Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But ...
CVE-2022-24821 Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But ...