cbcvebase.

Xwiki Xwiki-Platform vulnerabilities

227 known vulnerabilities affecting xwiki/xwiki-platform.

Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3

Vulnerabilities

Page 6 of 12
CVE-2023-40573P3HIGHCVSS 8.8fixed in 14.10.9v>= 1.3+1 more2023-08-24
CVE-2023-40573 [HIGH] CWE-284 CVE-2023-40573: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSR
nvd
CVE-2023-46244P3HIGHCVSS 8.8v>= 3.2-milestone-3, < 14.10.72023-11-07
CVE-2023-46244 [HIGH] CWE-863 CVE-2023-46244: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to write a script in which any velocity content is executed with the right of any other document content author. Since this API require programming right and the user does not have it, the expected resu
nvd
CVE-2024-31988P3HIGHCVSS 8.8v>= 13.9-rc-1, < 14.10.19v>= 15.0-rc-1, < 15.5.4+1 more2024-04-10
CVE-2024-31988 [HIGH] CWE-352 CVE-2024-31988: XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10. XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or
nvd
CVE-2021-32621P3HIGHCVSS 8.8fixed in 12.6.7v>= 12.10.0, < 12.10.32021-05-28
CVE-2021-32621 [HIGH] CWE-94 CVE-2021-32621: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.
nvd
CVE-2021-21380P3HIGHCVSS 8.8fixed in 12.92021-03-23
CVE-2021-21380 [HIGH] CWE-89 CVE-2021-21380: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection
nvd
CVE-2023-29214P3HIGHCVSS 8.8v>= 1.1-M2, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-16
CVE-2023-29214 [HIGH] CWE-95 CVE-2023-29214: XWiki Commons are technical libraries common to several other top level XWiki projects. Any user wit XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki
nvd
CVE-2023-29212P3HIGHCVSS 8.8v>= 14.0-rc-1, < 14.4.7v>= 14.5, < 14.102023-04-16
CVE-2023-29212 [HIGH] CWE-95 CVE-2023-29212: XWiki Commons are technical libraries common to several other top level XWiki projects. Any user wit XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. The problem has been patched on
nvd
CVE-2022-41931P3HIGHCVSS 8.8v>= 6.4-milestone-2, < 13.10.7v>= 14.0.0, < 14.4.22022-11-23
CVE-2022-41931 [HIGH] CWE-95 CVE-2022-41931: xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluat xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picke
nvd
CVE-2023-40177P3HIGHCVSS 8.8v>= 4.3-milestone-2, < 14.10.52023-08-23
CVE-2023-40177 [HIGH] CWE-95 CVE-2023-40177: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. This issue is present since version 4.3M2 when AppWithinMinutes Application
nvd
CVE-2024-55662P3HIGHCVSS 8.8v>= 3.3-milestone-1, < 15.10.9v>= 16.0.0-rc-1, < 16.3.02024-12-12
CVE-2024-55662 [HIGH] CWE-96 CVE-2024-55662: XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repositor
nvd
CVE-2025-49586P3HIGHCVSS 8.8v>= 7.2-milestone-2, < 16.4.7v>= 16.5.0-rc-1, < 16.10.3+1 more2025-06-13
CVE-2025-49586 [HIGH] CWE-863 CVE-2025-49586: XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App W XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.
nvd
CVE-2025-49581P3HIGHCVSS 8.8v>= 11.10.11, < 12.0v>= 12.6.3, < 12.7+3 more2025-06-13
CVE-2025-49581 [HIGH] CWE-94 CVE-2025-49581: XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) c XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with
nvd
CVE-2023-29207P3CRITICALCVSS 9.0v>= 1.9-milestone-2, < 13.10.10v>= 14.0-rc-1, < 14.4.6+1 more2023-04-15
CVE-2023-29207 [CRITICAL] CWE-79 CVE-2023-29207: XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetab XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents Macro that is included since XWiki 3.5M1 and doesn't require script rights, t
nvd
CVE-2023-37910P3HIGHCVSS 8.1v>= 14.0-rc-1, < 14.4.8v>= 14.5, < 14.10.42023-10-25
CVE-2023-37910 [HIGH] CWE-862 CVE-2023-37910: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with the introduction of attachment move support in version 14.0-rc-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, an attacker with edit access on any document (can be the user profile which is editable by default) can move any at
nvd
CVE-2021-32620P3HIGHCVSS 8.8fixed in 11.10.13v>= 12.6.0, < 12.6.7+1 more2021-05-28
CVE-2021-32620 [HIGH] CWE-285 CVE-2021-32620: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-activate themself by using the activation link provided for his registration. The problem has been patched in the foll
nvd
CVE-2023-35152P3HIGHCVSS 8.8v>= 12.9-rc-1, < 14.4.8v>= 14.5, < 14.10.6+1 more2023-06-23
CVE-2023-35152 [HIGH] CWE-95 CVE-2023-35152: XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4. XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround,
nvd
CVE-2023-32069P3HIGHCVSS 8.8v>= 3.3-milestone-3, < 14.10.42023-05-09
CVE-2023-32069 [HIGH] CWE-863 CVE-2023-32069: XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds.
nvd
CVE-2023-50722P3HIGHCVSS 8.8v>= 2.3, < 14.10.15v>= 15.0-rc-1, < 15.5.2+1 more2023-12-15
CVE-2023-50722 [HIGH] CWE-79 CVE-2023-50722: XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, a XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed through a URL parameter is only executed when the user who is visiting the craft
nvd
CVE-2022-29161P3CRITICALCVSS 9.8fixed in 13.10.6v>= 14.0.0, < 14.3.1+1 more2022-05-06
CVE-2022-29161 [CRITICAL] CWE-327 CVE-2022-29161: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki v
nvd
CVE-2023-26471P3HIGHCVSS 8.8v>= 11.6-rc-1, < 13.10.10v>= 14.0, < 14.4.6+1 more2023-03-02
CVE-2023-26471 [HIGH] CWE-284 CVE-2023-26471: XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to b XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute a
nvd
Xwiki Xwiki-Platform vulnerabilities | cvebase