Xwiki
Monthly
Xwiki versions up to 17.9.0 is affected by improper restriction of rendered ui layers or frames (CVSS 6.1).
Reflected XSS in XWiki Platform versions 7.0 through 17.7.0 enables attackers to craft malicious URLs that execute arbitrary actions with victim privileges, potentially leading to full installation compromise if the victim holds administrative or programming rights. The vulnerability requires user interaction to trigger and affects multiple version branches across the XWiki and XWiki Rendering products. Patches are available for affected versions, and a manual workaround exists that requires modification of a single line in the logging_macros.vm template without requiring a restart.
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A cross-site scripting vulnerability in version 5.4.5 and (CVSS 9.0). Critical severity with potential for significant impact on affected systems. Vendor patch is available.
Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.
A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available.
A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.
A security vulnerability in XWiki Platform (CVSS 7.5) that allows an attacker. Risk factors: public PoC available. Vendor patch is available.
XWiki's macro rights analyzer introduced in version 15.9RC1 contains incomplete validation that allows attackers to hide malicious script macros (Groovy, Python) by exploiting non-lowercase parameter handling and unanalyzed macro parameters. An authenticated attacker with limited privileges can inject hidden malicious macros that execute when a higher-privileged user edits the page, enabling remote code execution. This vulnerability affects XWiki versions 15.9RC1 through 16.4.6, 16.10.0-16.10.2, and 16.x-17.0.0-rc1, with patches available in versions 16.4.7, 16.10.3, and 17.0.0.
Critical privilege escalation vulnerability in XWiki that allows any user with page edit rights to execute arbitrary code (Groovy, Python, Velocity) with programming-level privileges by creating malicious wiki macros. An attacker can exploit wiki macro parameter defaults to inject code into high-privilege pages like XWiki.ChildrenMacro, achieving full XWiki installation compromise. The vulnerability affects XWiki versions prior to 16.4.7, 16.10.3, and 17.0.0; patch availability is confirmed across multiple release branches.
Privilege escalation vulnerability in XWiki where pages can unexpectedly gain script or programming rights when they contain links to pages that are subsequently renamed or moved. This allows attackers with low privileges to execute arbitrary scripts embedded in XObjects that should have been restricted, potentially leading to complete system compromise. The vulnerability affects XWiki versions 8.2 through 17.0.x and requires user interaction (page visit) to trigger, with patches available in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required.
XWiki is a generic wiki platform. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
XWiki is a generic wiki platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
XWiki is a generic wiki platform. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 26.9%.
XWiki is a generic wiki platform. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XWiki Platform is a generic wiki platform. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XWiki Platform is a generic wiki platform. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute arbitrary code and compromise the entire XWiki installation.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity.
XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the user registration form. Attackers inject Groovy code into the first name or last name fields, which is executed server-side when the user profile page is rendered.
Xwiki versions up to 17.9.0 is affected by improper restriction of rendered ui layers or frames (CVSS 6.1).
Reflected XSS in XWiki Platform versions 7.0 through 17.7.0 enables attackers to craft malicious URLs that execute arbitrary actions with victim privileges, potentially leading to full installation compromise if the victim holds administrative or programming rights. The vulnerability requires user interaction to trigger and affects multiple version branches across the XWiki and XWiki Rendering products. Patches are available for affected versions, and a manual workaround exists that requires modification of a single line in the logging_macros.vm template without requiring a restart.
XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available.
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A cross-site scripting vulnerability in version 5.4.5 and (CVSS 9.0). Critical severity with potential for significant impact on affected systems. Vendor patch is available.
Stored XSS vulnerability in XWiki affecting versions before 15.10.16, 16.4.7, and 16.10.2. An unprivileged user can inject malicious content into the NotificationDisplayerClass object of a document, which is then rendered as raw HTML when an administrator edits and saves the document, enabling XSS attacks with high integrity and confidentiality impact. The vulnerability requires low attack complexity and user interaction (admin action), with a CVSS score of 8.0 indicating significant real-world risk.
A remote code execution vulnerability in XWiki (CVSS 8.8). Risk factors: public PoC available. Vendor patch is available.
A security vulnerability in versions (CVSS 8.0). Risk factors: public PoC available. Vendor patch is available.
A security vulnerability in XWiki Platform (CVSS 7.5) that allows an attacker. Risk factors: public PoC available. Vendor patch is available.
XWiki's macro rights analyzer introduced in version 15.9RC1 contains incomplete validation that allows attackers to hide malicious script macros (Groovy, Python) by exploiting non-lowercase parameter handling and unanalyzed macro parameters. An authenticated attacker with limited privileges can inject hidden malicious macros that execute when a higher-privileged user edits the page, enabling remote code execution. This vulnerability affects XWiki versions 15.9RC1 through 16.4.6, 16.10.0-16.10.2, and 16.x-17.0.0-rc1, with patches available in versions 16.4.7, 16.10.3, and 17.0.0.
Critical privilege escalation vulnerability in XWiki that allows any user with page edit rights to execute arbitrary code (Groovy, Python, Velocity) with programming-level privileges by creating malicious wiki macros. An attacker can exploit wiki macro parameter defaults to inject code into high-privilege pages like XWiki.ChildrenMacro, achieving full XWiki installation compromise. The vulnerability affects XWiki versions prior to 16.4.7, 16.10.3, and 17.0.0; patch availability is confirmed across multiple release branches.
Privilege escalation vulnerability in XWiki where pages can unexpectedly gain script or programming rights when they contain links to pages that are subsequently renamed or moved. This allows attackers with low privileges to execute arbitrary scripts embedded in XObjects that should have been restricted, potentially leading to complete system compromise. The vulnerability affects XWiki versions 8.2 through 17.0.x and requires user interaction (page visit) to trigger, with patches available in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Critical SQL injection vulnerability in XWiki that allows unauthenticated remote attackers to execute arbitrary SQL queries against Oracle databases by exploiting insufficient validation of native SQL functions (DBMS_XMLGEN, DBMS_XMLQUERY) in Hibernate query processing. The vulnerability affects XWiki versions before 16.10.2, 16.4.7, and 15.10.16, with a CVSS score of 9.8 indicating critical severity and complete compromise of confidentiality, integrity, and availability. This is a pre-authentication remote code execution vector with no user interaction required.
XWiki is a generic wiki platform. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.
XWiki is a generic wiki platform. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity.
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.
XWiki is a generic wiki platform. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki is a generic wiki platform. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 26.9%.
XWiki is a generic wiki platform. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XWiki Platform is a generic wiki platform. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XWiki Platform is a generic wiki platform. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XWiki Platform is a generic wiki platform. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
XWiki Platform allows unauthenticated remote code execution through the SolrSearch endpoint, enabling guests to execute arbitrary code and compromise the entire XWiki installation.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity.
XWiki Platform prior to specific patched versions contains a CVSS 10.0 remote code execution vulnerability through the user registration form. Attackers inject Groovy code into the first name or last name fields, which is executed server-side when the user profile page is rendered.