cbcvebase.

Xwiki Xwiki-Platform vulnerabilities

227 known vulnerabilities affecting xwiki/xwiki-platform.

Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3

Vulnerabilities

Page 8 of 12
CVE-2023-40572P3HIGHCVSS 8.0v>= 3.2-milestone-3, < 14.10.9v>= 15.0-rc-1, < 15.4-rc-12023-08-24
CVE-2023-40572 [HIGH] CWE-352 CVE-2023-40572: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation.
nvd
CVE-2025-49584P3HIGHCVSS 7.5v>= 10.9, < 16.4.7v>= 16.5.0-rc-1, < 16.10.3+1 more2025-06-13
CVE-2025-49584 [HIGH] CWE-201 CVE-2025-49584: XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 throug XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to g
nvd
CVE-2023-26478P3HIGHCVSS 8.1v>= 14.3-rc-1, < 14.4.6v>= 14.5, < 14.9-rc-12023-03-02
CVE-2023-26478 [HIGH] CWE-749 CVE-2023-26478: XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.Te XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used inste
nvd
CVE-2024-37899P3HIGHCVSS 8.0v>= 13.4.7, <= 13.5v>= 13.10.3, < 14.10.21+3 more2024-06-20
CVE-2024-37899 [HIGH] CWE-94 CVE-2024-37899: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script
nvd
CVE-2025-23025P3HIGHCVSS 8.0v>= 13.9-rc-1, < 15.10.12v>= 16.0.0, < 16.4.1+1 more2025-01-14
CVE-2025-23025 [HIGH] CWE-862 CVE-2025-23025: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **e
nvd
CVE-2025-49585P3HIGHCVSS 8.0fixed in 15.10.16v>= 16.0.0-rc-1, < 16.4.7+1 more2025-06-13
CVE-2025-49585 [HIGH] CWE-357 CVE-2025-49585: XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5. XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be
nvd
CVE-2023-27480P3HIGHCVSS 7.7v>= 1.1-milestone-3, < 13.10.11v>= 14.0.0, < 14.4.7+1 more2023-03-07
CVE-2023-27480 [HIGH] CWE-611 CVE-2023-27480: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11,
nvd
CVE-2023-29517P3HIGHCVSS 7.5fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29517 [HIGH] CWE-200 CVE-2023-29517: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine (e.g. tomcat) running XWiki.
nvd
CVE-2022-41937P3HIGHCVSS 8.1fixed in 13.10.8v>= 14.0.0, < 14.4.3+1 more2022-11-22
CVE-2022-41937 [HIGH] CWE-862 CVE-2022-41937: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and mak
nvd
CVE-2025-49580P3HIGHCVSS 8.0v>= 17.0.0-rc-1, < 17.1.0-rc-1v>= 16.5.0-rc-1, < 16.10.4+2 more2025-06-13
CVE-2025-49580 [HIGH] CWE-266 CVE-2025-49580: XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages c XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1,
nvd
CVE-2022-23619P3HIGHCVSS 7.5v>= 13.6.0, < 13.6RC1v>= 13.0.0, < 13.4.1+1 more2022-02-09
CVE-2022-23619 [HIGH] CWE-200 CVE-2022-23619: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advi
nvd
CVE-2023-34467P3HIGHCVSS 7.5v>= 3.5-milestone-1, < 14.4.8v>= 14.5, < 14.10.42023-06-23
CVE-2023-34467 [HIGH] CWE-402 CVE-2023-34467: XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 3.5-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, the mail obfuscation configuration was not fully taken into account. While the mail displayed to the end user was obfuscated, the rest response was also containing the mail unobfuscated and users were able to filter and
nvd
CVE-2023-35151P3HIGHCVSS 7.5v>= 7.3-milestone-1, < 14.4.8v>= 14.5, < 14.10.6+1 more2023-06-23
CVE-2023-35151 [HIGH] CWE-359 CVE-2023-35151: XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 14.4.8, 14.10.6, and 15.1. There is no known workaround.
nvd
CVE-2025-66473P3HIGHCVSS 7.5fixed in 16.10.11v>= 17.0.0-rc-1, < 17.4.4+1 more2025-12-10
CVE-2025-66473 [HIGH] CWE-770 CVE-2025-66473: XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17. XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can l
nvd
CVE-2023-26476P3HIGHCVSS 7.5v>= 3.2-m3, < 13.4.4v>= 13.5.0, < 13.10.9+1 more2023-03-02
CVE-2023-26476 [HIGH] CWE-200 CVE-2023-26476: XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTable
nvd
CVE-2022-36092P3HIGHCVSS 7.5v>= 1.7, < 13.10.6v>= 14.0, < 14.42022-09-08
CVE-2022-36092 [HIGH] CWE-287 CVE-2022-36092: XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to vers XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and propertie
nvd
CVE-2022-36091P3HIGHCVSS 7.5v>= 1.3, < 13.10.4v>= 14.0, < 14.22022-09-08
CVE-2022-36091 [HIGH] CWE-359 CVE-2022-36091: XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered us
nvd
CVE-2022-36093P3HIGHCVSS 7.1v>= 8.0-rc-1, < 13.10.5v>= 14.0, < 14.3-rc-12022-09-08
CVE-2022-36093 [HIGH] CWE-287 CVE-2022-36093: XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. By passing a XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. By passing a template of the distribution wizard to the xpart template, user accounts can be created even when user registration is disabled. This also circumvents any email verification. Before versions 14.2 and 13.10.4, this can also be exploited on a private wik
nvd
CVE-2024-43401P3HIGHCVSS 8.0fixed in 15.10-rc-12024-08-19
CVE-2024-43401 [HIGH] CWE-269 CVE-2024-43401: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous c
nvd
CVE-2025-49587P3HIGHCVSS 8.0v>= 15.9-rc-1, < 15.10.16v>= 16.0.0-rc-1, < 16.4.7+1 more2025-06-13
CVE-2025-49587 [HIGH] CWE-357 CVE-2025-49587: XWiki is an open-source wiki software platform. When a user without script right creates a document XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Vel
nvd
Xwiki Xwiki-Platform vulnerabilities | cvebase