Lucene search
K

20 matches found

OSV
OSV
added 2025/08/05 5:13 p.m.5 views

GHSA-57Q2-6CP4-9MQ3 XWiki exposes passwords and emails stored in fields not named password/email in xml.vm

Impact The XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This allows any user to obtain the salted and hashed user accou...

8.7CVSS6.3AI score0.01199EPSS
Exploits0References5
OpenVAS
OpenVAS
added 2025/07/18 12:0 a.m.3 views

XWiki 11.10.11 < 16.4.7, 16.5.0-rc-1 < 16.10.3, 17.0.0-rc-1 < 17.0.0 RCE Vulnerability (GHSA-9875-cw22-f7cx)

Xwiki is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...

8.8CVSS6.5AI score0.00489EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2025/06/13 8:38 p.m.15 views

XWiki's required right warnings for macros are incomplete

Impact When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an...

8.6CVSS7.2AI score0.00717EPSS
Exploits1References11Affected Software4
CVE
CVE
added 2025/06/13 5:51 p.m.62 views

CVE-2025-49587

Summary (CVE-2025-49587) : XWiki Platform is vulnerable to reflected XSS when a user without script rights creates a document containing an XWiki.Notifications.Code.NotificationDisplayerClass object, and an admin later edits and saves the document. The potentially malicious object content is outp...

8CVSS5.8AI score0.0036EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2025/06/13 4:41 p.m.80 views

CVE-2025-49582

XWiki platform is affected by a remote code execution risk due to incomplete required-right analyzers for dangerous macros. The issue allows a page to include Groovy or Python macros hidden by a user with lower privileges, which could be executed when another user with higher rights edits the pag...

8.6CVSS7.4AI score0.00717EPSS
Exploits1References9Affected Software1
Positive Technologies
Positive Technologies
added 2025/06/13 12:0 a.m.6 views

PT-2025-25438 · Xwiki · Xwiki

Name of the Vulnerable Software and Affected Versions: XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.3 XWiki versions prior to 17.0.0 Description: The issue allows any XWiki user with edit rights on at least one App Within Minutes application to obtain programming rights and perfor...

8.7CVSS7.2AI score0.00641EPSS
Exploits1References13
RedhatCVE
RedhatCVE
added 2025/05/23 7:40 a.m.13 views

CVE-2024-31465

XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.20, 15.5.4, and 15.9-rc-1, any user with edit right on any page can execute any code on the server by adding an object of type XWiki.SearchSuggestSourceClass to their user profile or any other page...

9.9CVSS7.1AI score0.75575EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/22 6:52 p.m.6 views

CVE-2021-43841

XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that...

5.4CVSS6.7AI score0.0087EPSS
Exploits1
RedhatCVE
RedhatCVE
added 2025/05/21 6:32 p.m.8 views

CVE-2006-7223

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifyi...

6.5CVSS7.8AI score0.01507EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/05/21 5:38 p.m.15 views

CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are...

4.8CVSS7.4AI score0.0078EPSS
Exploits1References3
OSV
OSV
added 2025/05/21 5:38 p.m.19 views

CVE-2025-48063 XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are...

4.8CVSS7.5AI score0.0078EPSS
Exploits1References5
NVD
NVD
added 2025/04/30 7:15 p.m.27 views

CVE-2025-46554

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint...

5.3CVSS0.00986EPSS
Exploits1References5
CVE
CVE
added 2025/04/30 6:27 p.m.66 views

CVE-2025-46554

The CVE-2025-46554 issue affects XWiki platforms starting from 1.8.1 up to just before several patched versions (14.10.22, 15.10.12, 16.4.3, 16.7.0) where the wiki attachment REST endpoint exposes attachment metadata without regard to current user rights. An unauthenticated user could access the ...

5.3CVSS5.3AI score0.00986EPSS
In wildExploits1References5Affected Software1
NVD
NVD
added 2025/04/30 3:16 p.m.19 views

CVE-2025-32971

XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's...

3.8CVSS0.00334EPSS
Exploits1References3
Cvelist
Cvelist
added 2025/04/30 2:55 p.m.36 views

CVE-2025-32974 org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page...

9CVSS0.00298EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2025/04/30 2:54 p.m.13 views

CVE-2025-32970 org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability

XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that...

6.1CVSS6.6AI score0.00539EPSS
Exploits1References3
OSV
OSV
added 2025/04/29 2:5 p.m.8 views

GHSA-MVGM-3RW2-7J4R org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type

Impact When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed afte...

9CVSS7AI score0.00298EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/03/19 8:34 p.m.20 views

XWiki allows unregistered users to access private pages information through REST endpoint

Impact Protected pages are listed when requesting the REST endpoints /rest/wikis/wikiName/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the...

8.7CVSS6.5AI score0.00906EPSS
Exploits1References7Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/05 8:24 p.m.9 views

CVE-2022-31167

XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entr...

7.1CVSS6.7AI score0.00645EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2022/09/07 1:55 p.m.6 views

CVE-2022-31167 XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference

XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entr...

7.1CVSS7.1AI score0.00645EPSS
Exploits1References3
Rows per page
Query Builder