23 matches found
Directory Traversal
Overview org.xwiki.platform:xwiki-platform-webjars-api is a XWiki Platform WebJars API. Affected versions of this package are vulnerable to Directory Traversal via the process that handles WebJar extension installation. An attacker can overwrite arbitrary files, including configuration files and...
GHSA-VGWR-23FQ-PR7G XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin
Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requir...
PT-2026-43465
Name of the Vulnerable Software and Affected Versions XWiki versions prior to 16.10.17 XWiki versions prior to 17.4.9 XWiki versions prior to 17.10.3 XWiki versions prior to 18.0.0RC1 Description A path traversal issue allows an attacker to write arbitrary files, which could lead to overriding...
EUVD-2024-3461
Malicious code in bioql PyPI...
EUVD-2022-4667
Malicious code in bioql PyPI...
CVE-2023-29203
XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main...
CVE-2025-32783
XWiki Platform vulnerability CVE-2025-32783 affects versions 5.0–16.7.1 when Message Stream is enabled and the wiki is configured as closed (Prevent unregistered users to view pages). A message sent in a subwiki to "everyone" is exposed to the main wiki via the Dashboard, even if the subwiki is p...
GHSA-GQ32-758C-3WM3 XWiki uses the wrong wiki reference in AuthorizationManager
Impact It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as...
XWiki uses the wrong wiki reference in AuthorizationManager
Impact It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as...
CVE-2025-29924
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...
CVE-2025-29924 XWiki uses the wrong wiki reference in AuthorizationManager
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...
PT-2025-11970 · Unknown · Xwiki Platform
Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 15.10.14 XWiki Platform versions prior to 16.4.6 XWiki Platform versions prior to 16.10.0-rc-1 Description: The issue allows an user to access private information through the REST API when a sub wiki is using...
GHSA-CWQ6-MJMX-47P6 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
Impact Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation e.g., Trigger on any job. If the operation is successful...
XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
Impact Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation e.g., Trigger on any job. If the operation is successful...
CVE-2024-55876 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...
CVE-2024-55876
CVE-2024-55876 affects XWiki Platform. Versions 1.2-milestone-2 through 16.3.0 are vulnerable: any account on the master wiki could execute scheduling operations on subwikis by interacting with Scheduler.WebHome and triggering a job, indicating an insufficient authorization boundary between main ...
CVE-2024-55876 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user
XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...
CVE-2023-29203 Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main...
CVE-2023-29203 Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main...
CVE-2023-29203 Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main...