Xwiki Xwiki-Platform vulnerabilities
227 known vulnerabilities affecting xwiki/xwiki-platform.
Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3
Vulnerabilities
Page 2 of 12
CVE-2023-36469P2HIGHCVSS 8.8v>= 9.6-rc-1, < 14.10.6v>= 15.0-rc-1, < 15.2-rc-12023-06-29
CVE-2023-36469 [HIGH] CWE-74 CVE-2023-36469: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This ha
nvd
CVE-2023-50721P2HIGHCVSS 8.8v>= 4.5-rc-1, < 14.10.15v>= 15.0-rc-1, < 15.5.2+1 more2023-12-15
CVE-2023-50721 [HIGH] CWE-94 CVE-2023-50721: XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5
XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution,
nvd
CVE-2023-26477P2CRITICALCVSS 9.8v>= 6.2.4, < 13.10.10v>= 14.0, < 14.4.6+1 more2023-03-02
CVE-2023-26477 [CRITICAL] CWE-95 CVE-2023-26477: XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1
nvd
CVE-2022-36099P2HIGHCVSS 8.8v>= 5.3-milestone-2, < 13.10.6v>= 14.0, < 14.42022-09-08
CVE-2022-36099 [HIGH] CWE-94 CVE-2022-36099: XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki
XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki platform. Starting with version 5.3-milestone-2 and prior to versions 13.10.6 and 14.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request (URL parameter) using the `XWikiServerClassSheet` i
nvd
CVE-2024-31465P2HIGHCVSS 8.8v>= 5.2-milestone-2, < 14.10.20v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31465 [HIGH] CWE-95 CVE-2024-31465: XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.
XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.20, 15.5.4, and 15.9-rc-1, any user with edit right on any page can execute any code on the server by adding an object of type `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and a
nvd
CVE-2023-29525P2HIGHCVSS 8.8fixed in 14.4.8v>= 14.5.0, < 14.10.3.2023-04-19
CVE-2023-29525 [HIGH] CWE-74 CVE-2023-29525: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint. This provides an XWiki syntax injection attack via the since-parameter, al
nvd
CVE-2023-45136P2CRITICALCVSS 9.6PoCv>= 12.0-rc-1, < 14.10.12v>= 15.0-rc-1, < 15.5-rc-12023-10-25
CVE-2023-45136 [CRITICAL] CWE-79 CVE-2023-45136: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is vulnerable to a reflected cross-site scripting attack in the page creation
nvd
CVE-2023-29524P2HIGHCVSS 8.8fixed in 14.10.32023-04-19
CVE-2023-29524 [HIGH] CWE-74 CVE-2023-29524: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass, In "Job Script
nvd
CVE-2023-29509P2HIGHCVSS 8.8v>= 7.2-rc-1, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-16
CVE-2023-29509 [HIGH] CWE-95 CVE-2023-29509: XWiki Commons are technical libraries common to several other top level XWiki projects. Any user wit
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `documentTree` macro parameters in This macro is in
nvd
CVE-2023-50720P3MEDIUMCVSS 5.3PoCfixed in 14.10.15v>= 15.0-rc-1, < 15.5.2+1 more2023-12-15
CVE-2023-50720 [MEDIUM] CWE-200 CVE-2023-50720: XWiki Platform is a generic wiki platform. Prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the So
XWiki Platform is a generic wiki platform. Prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface. This has been fixed in XWiki
nvd
CVE-2023-29516P2HIGHCVSS 8.8fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29516 [HIGH] CWE-74 CVE-2023-29516: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. T
nvd
CVE-2023-32068P3MEDIUMCVSS 6.1PoCfixed in 14.10.42023-05-15
CVE-2023-32068 [MEDIUM] CWE-601 CVE-2023-32068: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibilit
nvd
CVE-2022-36100P2HIGHCVSS 8.8v>= 2.0, < 14.10.7v>= 15.0-rc-1, < 15.2-rc-12022-09-08
CVE-2022-36100 [HIGH] CWE-94 CVE-2022-36100: XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic
XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the doc
nvd
CVE-2023-32071P2CRITICALCVSS 9.0v>= 2.2-milestone-1, < 14.4.8v>= 14.5, < 14.10.42023-05-09
CVE-2023-32071 [CRITICAL] CWE-79 CVE-2023-32071: XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to version
XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.
nvd
CVE-2023-26475P2HIGHCVSS 8.8v>= 2.3-milestone-1, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-03-02
CVE-2023-26475 [HIGH] CWE-269 CVE-2023-26475: XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displ
XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround exc
nvd
CVE-2022-36098P2CRITICALCVSS 9.0v>= 12.5-rc-1, < 13.10.6v>= 14.0, < 14.42022-09-08
CVE-2022-36098 [CRITICAL] CWE-79 CVE-2022-36098: XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platfo
XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the
nvd
CVE-2023-35150P2HIGHCVSS 8.0v>= 2.4-m-2, < 14.4.8v>= 14.5, < 14.10.42023-06-23
CVE-2023-35150 [HIGH] CWE-95 CVE-2023-35150: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The proble
nvd
CVE-2023-35166P2HIGHCVSS 8.8v>= 8.1-milestone-1, < 14.10.5v>= 15.0-rc-1, < 15.1-rc-12023-06-20
CVE-2023-35166 [HIGH] CWE-863 CVE-2023-35166: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5.
nvd
CVE-2022-36094P2CRITICALCVSS 9.0v>= 1.0, < 13.10.6v>= 14.0, < 14.3-rc-12022-09-08
CVE-2022-36094 [CRITICAL] CWE-79 CVE-2022-36094: XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform
XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki
nvd
CVE-2022-36096P2CRITICALCVSS 9.0v>= 2.2-milestone-1, < 13.10.6v>= 14.0, < 14.32022-09-08
CVE-2022-36096 [CRITICAL] CWE-79 CVE-2022-36096: The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and att
The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. T
nvd