Xwiki Xwiki-Platform vulnerabilities
227 known vulnerabilities affecting xwiki/xwiki-platform.
Total CVEs
227
CISA KEV
1
actively exploited
Public exploits
36
Exploited in wild
14
Severity breakdown
CRITICAL29HIGH111MEDIUM84LOW3
Vulnerabilities
Page 9 of 12
CVE-2023-29208P3HIGHCVSS 7.5v>= 1.2-milestone-1, < 13.10.11v>= 14.0-rc-1, < 14.4.7+1 more2023-04-15
CVE-2023-29208 [HIGH] CWE-668 CVE-2023-29208: XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added
XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. The
nvd
CVE-2022-41936P3HIGHCVSS 7.5v>= 8.1, < 13.10.8v>= 14.0.0, < 14.4.3+1 more2022-11-22
CVE-2022-41936 [HIGH] CWE-359 CVE-2022-41936: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upg
nvd
CVE-2023-29507P3HIGHCVSS 7.2v>= 14.5, < 14.10v>= 14.4.1, < 14.4.72023-04-16
CVE-2023-29507 [HIGH] CWE-648 CVE-2023-29507: XWiki Commons are technical libraries common to several other top level XWiki projects. The Document
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14
nvd
CVE-2023-26473P3MEDIUMCVSS 6.5v>= 1.3-rc-1, < 13.10.11v>= 14.0, < 14.4.7+1 more2023-03-02
CVE-2023-26473 [MEDIUM] CWE-284 CVE-2023-26473: XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right ca
XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.
nvd
CVE-2025-54124P3MEDIUMCVSS 6.5v>= 9.8-rc-1, < 16.4.7v>= 16.5.0-rc-1, < 16.10.5+1 more2025-08-06
CVE-2025-54124 [MEDIUM] CWE-359 CVE-2025-54124: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that referen
nvd
CVE-2023-41046P3MEDIUMCVSS 6.3v>= 7.2, < 14.10.10v>= 15.0-rc-1, < 15.4-rc-12023-09-01
CVE-2023-41046 [MEDIUM] CWE-862 CVE-2023-41046: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the former, the syntax of the document needs to be set th
nvd
CVE-2020-15171P3MEDIUMCVSS 6.6v<11.10.5v>=12.0.0, <12.2.12020-09-10
CVE-2020-15171 [MEDIUM] CWE-94 CVE-2020-15171: In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4)
In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only workaround is to give SCRIPT right only to trusted use
nvd
CVE-2023-37911P3MEDIUMCVSS 6.5v>= 9.4-rc-1, < 14.10.8v>= 15.0-rc-1, < 15.3-rc-12023-10-25
CVE-2023-37911 [MEDIUM] CWE-668 CVE-2023-37911: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of
nvd
CVE-2023-26470P3HIGHCVSS 7.5fixed in 14.0-rc-12023-03-02
CVE-2023-26470 [HIGH] CWE-400 CVE-2023-26470: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has bee
nvd
CVE-2022-23617P3MEDIUMCVSS 6.5v>= 13.0.0, < 13.2-rc-1fixed in 12.10.62022-02-09
CVE-2022-23617 [MEDIUM] CWE-862 CVE-2022-23617: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no kno
nvd
CVE-2023-29520P3MEDIUMCVSS 6.5fixed in 13.10.11v>= 14.0.0, < 14.4.8+1 more2023-04-19
CVE-2023-29520 [MEDIUM] CWE-248 CVE-2023-29520: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to break many translations coming from wiki pages by creating a corrupted document containing a translation object. This will lead to a broken page. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.1
nvd
CVE-2024-46978P3MEDIUMCVSS 6.5v>= 13.2-rc-1, < 14.10.21v>= 15.0.0, < 15.5.5+1 more2024-09-18
CVE-2024-46978 [MEDIUM] CWE-648 CVE-2024-46978: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulner
nvd
CVE-2022-31167P3MEDIUMCVSS 6.5v>= 5.0, < 12.10.11v>= 13.0, < 13.4.6+1 more2022-09-07
CVE-2022-31167 [MEDIUM] CWE-285 CVE-2022-31167: XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki pla
XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entry. That means that it's possible to overwrite the righ
nvd
CVE-2023-50732P3MEDIUMCVSS 6.3v>= 8.3-rc-1, < 14.10.7v>= 15.0-rc-1, < 15.2-rc-12023-12-21
CVE-2023-50732 [MEDIUM] CWE-863 CVE-2023-50732: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.
nvd
CVE-2022-41927P3HIGHCVSS 7.4v>= 3.2-milestone-2, < 13.10.7v>= 14.0.0, < 14.4.12022-11-23
CVE-2022-41927 [HIGH] CWE-352 CVE-2022-41927: XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete
XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code fo
nvd
CVE-2022-41933P4MEDIUMCVSS 6.5v>= 13.1RC1, < 13.10.8v>= 14.0.0, < 14.4.32022-11-23
CVE-2022-41933 [MEDIUM] CWE-312 CVE-2022-41933: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When the `reset a forgotten password` feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and newer versions. Note that it only concerns the reset password feature available from the
nvd
CVE-2024-37900P4MEDIUMCVSS 4.6v>= 4.2-milestone-3, < 14.10.21v>= 15.0-rc-1, < 15.5.5+2 more2024-07-31
CVE-2024-37900 [MEDIUM] CWE-96 CVE-2024-37900: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed dur
nvd
CVE-2023-26479P4MEDIUMCVSS 6.5v>= 6.0, < 13.10.10v>= 14.0, < 14.4.6+1 more2023-03-02
CVE-2023-26479 [MEDIUM] CWE-755 CVE-2023-26479: XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can inse
XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index.
Note that on the page, the normal UI
nvd
CVE-2024-21651P4MEDIUMCVSS 6.5v>= 14.10, < 14.10.18v>= 15.0-rc-1, < 15.5.3+1 more2024-01-09
CVE-2024-21651 [MEDIUM] CWE-400 CVE-2024-21651: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. This vulnerability has been patched in XWi
nvd
CVE-2021-32732P4MEDIUMCVSS 6.5fixed in 12.10.5v>= 13.0, < 13.2RC12022-02-04
CVE-2021-32732 [MEDIUM] CWE-352 CVE-2021-32732: ### Impact It's possible to know if a user has or not an account in a wiki related to an email addre
### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those requests. ### Patches This issue has been patched
nvd