org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move

Impact An attacker with edit access on any document can be the user profile which is editable by default can move any attachment of any other document to this attacker-controlled document. This allows the attacker to access and possibly publish any attachment of which the name is known, regardles...

CVE-2023-37913

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 3.5-milestone-1 and prior to versions 14.10.8 and 15.3-rc-1, triggering the office converter with a specially crafted file name allows writing the attachment's content to a...

GHSA-92WP-R7HM-42G7 XWiki Platform subject to Uncontrolled Resource Consumption

Impact It's possible to make the farm unusable by adding an object to a page with a huge number e.g. 67108863. This will most of the time fill the memory allocated to XWiki and make it unusable every time this document is manipulated. Patches It has been patched in XWiki 14.0 Workarounds There is...

CVE-2023-26470

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number e.g. 67108863. Most of the time this will fill the memory allocated to XWiki and make it unusable every...