cbcvebase.

Xwiki Xwiki-Platform vulnerabilities

227 known vulnerabilities affecting xwiki/xwiki-platform.

Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3

Vulnerabilities

Page 5 of 12
CVE-2020-15252P3HIGHCVSS 8.8v>= 12.0, < 12.5fixed in 11.10.62020-10-16
CVE-2020-15252 [HIGH] CWE-94 CVE-2020-15252: In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) c In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.
nvd
CVE-2025-29926P3CRITICALCVSS 9.8v>= 5.4-rc-1, < 15.10.15v>= 16.0.0-rc-1, < 16.4.6+1 more2025-03-19
CVE-2025-29926 [CRITICAL] CWE-285 CVE-2025-29926: XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can expl XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through
nvd
CVE-2023-45134P3CRITICALCVSS 9.0v>= 3.1-milestone-1, < 13.4-rc-1v>= 2.4-milestone-2, < 3.1-milestone-1+2 more2023-10-25
CVE-2023-45134 [CRITICAL] CWE-79 CVE-2023-45134: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-1 and prior to 13.4-rc-1, `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.2 and 15.5-rc-1, and `org.xwiki.platform:xwiki-web-standard` starting i
nvd
CVE-2023-29518P3HIGHCVSS 8.8fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29518 [HIGH] CWE-74 CVE-2023-29518: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Invitation.InvitationCommon`. This page is installed by default. The v
nvd
CVE-2024-56158P3CRITICALCVSS 9.8v>= 1.0, < 15.10.16v>= 16.0.0-rc-1, < 16.4.7+1 more2025-06-12
CVE-2024-56158 [CRITICAL] CWE-89 CVE-2024-56158: XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the func XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15
nvd
CVE-2022-41934P3HIGHCVSS 8.8fixed in 13.10.8v>= 14.0.0, < 14.4.32022-11-23
CVE-2022-41934 [HIGH] CWE-74 CVE-2022-41934: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and par
nvd
CVE-2023-29210P3HIGHCVSS 8.8v>= 13.2-rc-1, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-15
CVE-2023-29210 [HIGH] CWE-95 CVE-2023-29210: XWiki Commons are technical libraries common to several other top level XWiki projects. Any user wit XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user
nvd
CVE-2023-29526P3HIGHCVSS 8.8v>= 10.11.1, < 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29526 [HIGH] CWE-74 CVE-2023-29526: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed providing a code injection vector in the c
nvd
CVE-2023-29512P3HIGHCVSS 8.8fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29512 [HIGH] CWE-74 CVE-2023-29512: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attac
nvd
CVE-2023-29209P3HIGHCVSS 8.8v>= 10.9, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-15
CVE-2023-29209 [HIGH] CWE-95 CVE-2023-29209: XWiki Commons are technical libraries common to several other top level XWiki projects. Any user wit XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the ma
nvd
CVE-2023-29521P3HIGHCVSS 8.8fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29521 [HIGH] CWE-74 CVE-2023-29521: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default.This vulner
nvd
CVE-2023-29527P3HIGHCVSS 8.8v>= 7.4.4, < 14.10.32023-04-19
CVE-2023-29527 [HIGH] CWE-74 CVE-2023-29527: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing the document after saving it will execute the groovy script in the server con
nvd
CVE-2023-46243P3HIGHCVSS 8.8v>= 1.0, < 14.10.62023-11-07
CVE-2023-46243 [HIGH] CWE-94 CVE-2023-46243: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28
nvd
CVE-2024-41947P3MEDIUMCVSS 5.4PoCv>= 11.8-rc-1, < 15.10.8v>= 16.0.0-rc-1, < 16.3.0-rc-12024-07-31
CVE-2024-41947 [MEDIUM] CWE-80 CVE-2024-41947: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWik
nvd
CVE-2022-36097P3MEDIUMCVSS 6.1v>= 14.0-rc-1, < 14.4-rc-12022-09-08
CVE-2022-36097 [MEDIUM] CWE-79 CVE-2022-36097: XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Plat XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in
nvd
CVE-2023-37277P3CRITICALCVSS 9.6v>= 1.8, < 14.10.8v>= 15.0-rc-1, < 15.22023-07-10
CVE-2023-37277 [CRITICAL] CWE-352 CVE-2023-37277: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery
nvd
CVE-2023-29211P3HIGHCVSS 8.8v>= 5.3-milestone-2, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-16
CVE-2023-29211 [HIGH] CWE-95 CVE-2023-29211: XWiki Commons are technical libraries common to several other top level XWiki projects. Any user wit XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. The problem has been patched on XWi
nvd
CVE-2023-50723P3HIGHCVSS 8.8v>= 2.3, < 14.10.15v>= 15.0-rc-1, < 15.5.2+1 more2023-12-15
CVE-2023-50723 [HIGH] CWE-94 CVE-2023-50723: XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, a XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality,
nvd
CVE-2023-29511P3HIGHCVSS 8.8v>= 14.0-rc-1, < 14.4.8v>= 14.5, < 14.10.1+1 more2023-04-16
CVE-2023-29511 [HIGH] CWE-95 CVE-2023-29511: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the section ids in `XWiki.AdminFi
nvd
CVE-2023-30537P3HIGHCVSS 8.8v>= 12.6.6, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-16
CVE-2023-30537 [HIGH] CWE-95 CVE-2023-30537: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebH
nvd
Xwiki Xwiki-Platform vulnerabilities | cvebase