cbcvebase.

Xwiki Xwiki-Platform vulnerabilities

227 known vulnerabilities affecting xwiki/xwiki-platform.

Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3

Vulnerabilities

Page 11 of 12
CVE-2024-31985P4MEDIUMCVSS 5.4v>= 3.1, < 14.10.19v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31985 [MEDIUM] CWE-352 CVE-2024-31985: XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15 XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fi
nvd
CVE-2022-41932P4MEDIUMCVSS 5.3fixed in 13.10.8v>= 14.0.0, < 14.4.2+1 more2022-11-23
CVE-2022-41932 [MEDIUM] CWE-400 CVE-2022-41932: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14
nvd
CVE-2024-31464P4MEDIUMCVSS 4.9v>= 5.0-rc-1, < 14.10.19v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31464 [MEDIUM] CWE-200 CVE-2024-31464: XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10. XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that vulnerability it's possible for an attacker to have access to the hash
nvd
CVE-2022-23622P4MEDIUMCVSS 6.1v>= 2.6.1, < 12.10.11v>= 13.0.0, < 13.4.7+1 more2022-02-09
CVE-2022-23622 [MEDIUM] CWE-79 CVE-2022-23622: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in the following conditions: 1. The wiki must be open to registration for any
nvd
CVE-2022-29252P4MEDIUMCVSS 6.1v>= 5.3-milestone-2, < 12.10.11v>= 13.0, < 13.4.7+1 more2022-05-25
CVE-2022-29252 [MEDIUM] CWE-80 CVE-2022-29252: XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-miles XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest
nvd
CVE-2023-36477P4MEDIUMCVSS 5.4vorg.xwiki.contrib:application-ckeditor-ui: >= 1.9, < 1.64.9vorg.xwiki.platform:xwiki-platform-ckeditor-ui: >= 14.6-rc-1, < 14.10.6+1 more2023-06-30
CVE-2023-36477 [MEDIUM] CWE-79 CVE-2023-36477: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents, leading to loss of service and editing the javascript configuration of CKEd
nvd
CVE-2023-45137P4MEDIUMCVSS 5.4v>= 3.1-milestone-2, < 13.4-rc-1v>= 14.0-rc-1, < 14.10.12+1 more2023-10-25
CVE-2023-45137 [MEDIUM] CWE-79 CVE-2023-45137: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, are vulnerable to cross-site scripti
nvd
CVE-2023-29203P4MEDIUMCVSS 5.3v>= 13.9-rc-1, < 13.10.8v>= 14.0-rc-1, < 14.4.3+1 more2023-04-15
CVE-2023-29203 [MEDIUM] CWE-359 CVE-2023-29203: XWiki Commons are technical libraries common to several other top level XWiki projects. It's possibl XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns hidden users from main wiki. Note that the disclosed information are the us
nvd
CVE-2023-29508P4MEDIUMCVSS 5.4v>= 13.10.10, < 13.10.11v>= 14.4, < 14.4.7+1 more2023-04-16
CVE-2023-29508 [MEDIUM] CWE-79 CVE-2023-29508: XWiki Commons are technical libraries common to several other top level XWiki projects. A user witho XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
nvd
CVE-2022-23621P4MEDIUMCVSS 4.9v>= 13.6.0, < 13.7-rc-1v>= 13.0.0, < 13.4.3+1 more2022-02-09
CVE-2022-23621 [MEDIUM] CWE-862 CVE-2022-23621: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`.
nvd
CVE-2022-23620P4MEDIUMCVSS 5.4v>= 6.2-rc-1, < 13.62022-02-09
CVE-2022-23620 [MEDIUM] CWE-22 CVE-2022-23620: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing
nvd
CVE-2023-29206P4MEDIUMCVSS 5.4v>= 3.0-milestone-1, < 14.9-rc-12023-04-15
CVE-2023-29206 [MEDIUM] CWE-79 CVE-2023-29206: XWiki Commons are technical libraries common to several other top level XWiki projects. There was no XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing
nvd
CVE-2023-35153P4MEDIUMCVSS 5.4v>= 5.4.4, < 14.4.8v >= 14.5, < 14.10.4+1 more2023-06-23
CVE-2023-35153 [MEDIUM] CWE-79 CVE-2023-35153: XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 1 XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and setting the payload on the page title. Then, any user visiting `/xwiki/bi
nvd
CVE-2023-29205P4MEDIUMCVSS 5.4fixed in 14.8-rc-12023-04-15
CVE-2023-29205 [MEDIUM] CWE-79 CVE-2023-29205: XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML mac XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS attack. This can be particularly dangerous since in a standard wiki, any user
nvd
CVE-2022-41929P4MEDIUMCVSS 4.9v>= 11.7RC1, < 13.10.7v>= 14.0.0, < 14.4.22022-11-23
CVE-2022-41929 [MEDIUM] CWE-862 CVE-2022-41929: org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
nvd
CVE-2022-41935P4MEDIUMCVSS 4.3v>= 12.10.11, < 13.10.8v>= 14.0.0, < 14.4.32022-11-23
CVE-2022-41935 [MEDIUM] CWE-200 CVE-2022-41935: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users without the right to view documents can deduce their existence by repeated Livetable queries. The issue has been patched in XWiki 14.6RC1, 13.10.8, and 14.4.3, the response is not properly cleaned up of obfuscated entries. As a workaround,
nvd
CVE-2023-29513P4MEDIUMCVSS 4.3fixed in 14.10.12023-04-19
CVE-2023-29513 [MEDIUM] CWE-284 CVE-2023-29513: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. This vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1. There is no known workaround other
nvd
CVE-2023-34466P4MEDIUMCVSS 4.3v>= 5.0-milestone-1, < 14.4.8v>= 14.5, < 14.10.42023-06-23
CVE-2023-34466 [MEDIUM] CWE-200 CVE-2023-34466: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.0-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-v
nvd
CVE-2023-35157P4MEDIUMCVSS 4.8v>= 3.2-milestone-3, < 14.10.6v>= 15.0-rc-0, < 15.1-rc-12023-06-23
CVE-2023-35157 [MEDIUM] CWE-79 CVE-2023-35157: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the m
nvd
CVE-2023-38509P4MEDIUMCVSS 4.3v>= 3.5-milestone-1, < 14.10.9v>= 15.0, < 15.3-rc-12023-11-07
CVE-2023-38509 [MEDIUM] CWE-402 CVE-2023-38509: XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui startin XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. This has been patched in XWiki 14.10.9 and XWiki 15.3-rc-1.
nvd
Xwiki Xwiki-Platform vulnerabilities | cvebase