CVE-2025-29924

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...

CVE-2025-29924 XWiki uses the wrong wiki reference in AuthorizationManager

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...

CVE-2025-29924 XWiki uses the wrong wiki reference in AuthorizationManager

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...

CVE-2024-55876

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...

CVE-2024-55876 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...

PT-2024-36595 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 1.2-milestone-2 through 15.10.8 XWiki Platform versions 1.2-milestone-2 through 16.2.x Description: The issue allows any user with an account on the main wiki to run scheduling operations on subwikis. To reproduce, a...

GHSA-VVP7-R422-RX83 Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm

Impact It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last...

Cross site scripting

XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the WikiManager.JoinWiki wiki page related to the "requestJoin" field. The issue is patched in versions...

CVE-2022-29252

XWiki Platform Wiki UI Main Wiki contains a cross-site scripting vector in the WikiManager.JoinWiki page (field requestJoin) starting with version 5.3-milestone-2. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. A workaround is to edit WikiManager.JoinWiki using the wik...

CVE-2014-7837

mod/wiki/admin.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to remove wiki pages by leveraging delete access within a different subwiki...