GHSA-VGWR-23FQ-PR7G XWiki Platform vulnerable to potential arbitrary file writing using path traversal from (subwiki) admin

Impact A potential path traversal vulnerability allow an attacker who manages to get a malicious WebJar extension installed on the wiki to write arbitrary files. While the consequences could be severe like overriding configuration files and setting the superadmin password, the attack first requir...

CVE-2023-29210

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...

XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

Impact A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to...

EUVD-2022-1205

Malicious code in bioql PyPI...

CVE-2025-32974 org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page...

GHSA-PJHG-9WR9-RJ96 org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability

Impact An open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirect to any URL. To reproduce, open /xwiki/bin/view/Main/?foo=bar&foosyntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com/ where is the...

Velocity execution without script right through tree macro

Impact It's possible to execute a Velocity script without script right through the document tree. To reproduce: As a user without script right, create a document, e.g., named Nasty Title Set the document's title to $request.requestURI Click "Save & View" Reload the page in the browser The...

SUSE CVE-2021-32732

Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which usernames is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those...