5 matches found
CVE-2024-42489
CVE-2024-42489 affects Pro Macros (XWiki rendering macros). The vulnerability is due to missing escaping in the Viewpdf macro (and similar macros like Viewppt ), enabling remote code execution for users with view/edit/comment rights on affected pages. Root cause: missing escaping on CKEditor.HTML...
CVE-2025-55728
CVE-2025-55728 concerns the XWiki Remote Macros package, specifically the panel macro. The issue arises from missing escaping of the classes parameter in the panel macro, which is used within XWiki syntax and can lead to XWiki syntax injection. Affects versions 1.0 through 1.26.4 (and up to 1.26....
CVE-2025-55727
CVE-2025-55727 affects XWiki Remote Macros (column macro width parameter). The issue: missing escaping of the width parameter in versions 1.0 through 1.26.4 enables remote code execution when a user can edit a page or access the CKEditor converter, due to unescaped XWiki syntax in the width param...
CVE-2025-65089
CVE-2025-65089 affects XWiki Remote Macros. Prior to version 1.27.0, a user with no view rights on a page could see the content of an office attachment rendered via the view file macro. This is a data leak due to mis-authorization in the macro rendering path. The issue has been patched in version...
CVE-2025-65036
XWiki Remote Macros (xwiki-pro-macros) prior to version 1.27.1 allow remote code execution by executing Velocity from details pages without proper permission checks. Affected component is the macro rendering feature used for Confluence content migration. The issue is fixed in 1.27.1; remediation ...