cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-23025,https://securityvulnerability.io/vulnerability/CVE-2025-23025,Vulnerability in XWiki Platform's Realtime WYSIWYG Editor Allows Script Injection,"XWiki Platform features a Realtime WYSIWYG Editor which allows users with edit rights to participate in collaborative editing sessions. However, if a user with limited permissions joins these sessions, they can inadvertently gain access to scripting capabilities by exploiting scripts introduced by those with higher privileges. This vulnerability arises due to the editor being enabled by default in certain versions, raising the critical concern of unauthorized script execution. Patches are available in versions 15.10.2, 16.4.1, and 16.6.0-rc-1. To mitigate risks, users unable to update should either disable the realtime editing feature through the administrative section or uninstall the extension.",Xwiki,Xwiki-platform,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-14T18:16:00.000Z,0
CVE-2024-55879,https://securityvulnerability.io/vulnerability/CVE-2024-55879,Arbitrary Remote Code Execution Vulnerability in XWiki Platform,"XWiki Platform, a widely-used wiki software, is susceptible to an arbitrary remote code execution vulnerability that allows users with script rights to manipulate instances of `XWiki.ConfigurableClass` on any page. This flaw jeopardizes the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability impacts all versions from 2.3 up to, but not including, versions 15.10.9 and 16.3.0, which contain the necessary patch. Users are advised to upgrade their installations to mitigate the associated risks.",Xwiki,Xwiki-platform,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T19:17:38.138Z,0
CVE-2024-55877,https://securityvulnerability.io/vulnerability/CVE-2024-55877,Arbitrary Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used wiki software, is affected by a security vulnerability that allows any authenticated user to execute arbitrary remote code. This flaw arises when users incorporate instances of 'XWiki.WikiMacroClass' onto any page, which severely compromises the confidentiality, integrity, and availability of the XWiki environment. The vulnerability spans versions from 9.7-rc-1 up to but not including 15.10.11, 16.4.1, and 16.5.0. Mitigation is available through updates to the aforementioned versions or via manual patching of the page 'XWiki.XWikiSyntaxMacrosList'.",Xwiki,Xwiki-platform,10,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T19:13:43.128Z,0
CVE-2024-55663,https://securityvulnerability.io/vulnerability/CVE-2024-55663,Unsanitized Request Parameter Vulnerability in XWiki Platform,"The XWiki Platform is vulnerable to HQL injection due to improper sanitization of request parameters in the document retrieval process. Starting from version 6.3-milestone-2 and up to versions 13.10.4, an attacker can exploit this vulnerability to manipulate document ordering and inject malicious HQL queries. Depending on the backend database, this could lead to unauthorized disclosure of sensitive information, such as password hashes, and unauthorized modifications of database entries via UPDATE, INSERT, or DELETE commands. It is crucial for users to upgrade to patched versions 13.10.5 or 14.3-rc-1 to mitigate these risks effectively.",Xwiki,Xwiki-platform,9.8,CRITICAL,0.0006799999973736703,false,,false,false,false,,,false,false,,2024-12-12T18:53:49.491Z,0
CVE-2024-55662,https://securityvulnerability.io/vulnerability/CVE-2024-55662,XWiki Platform Vulnerability: Any User Can Execute Code,"The XWiki Platform is a flexible wiki solution that, when utilizing the Extension Repository Application prior to versions 15.10.9 and 16.3.0, exposes the system to a significant vulnerability. Any authenticated user can exploit this flaw to execute arbitrary code on the server, particularly with programming rights. To mitigate this issue, instances not utilizing the Extension Repository Application can disable it as a workaround. For those who require continued use of the application, manual patches can be applied to crucial pages to rectify the vulnerability, following the guidance provided in GitHub commit 8659f17d500522bf33595e402391592a35a162e8.",Xwiki,Xwiki-platform,10,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T17:25:26.297Z,0
CVE-2024-52299,https://securityvulnerability.io/vulnerability/CVE-2024-52299,Vulnerability in PDF Viewer Macro for XWiki Affects User Data Access,"The macro-pdfviewer is a PDF Viewer Macro for XWiki, utilizing the Mozilla pdf.js library. A vulnerability exists that allows users with view permissions on XWiki.PDFViewerService to access any attachment stored in the wiki. This security flaw arises from an incorrect computation of the key used to restrict access, specifically through improper handling of the digest stream. As a result, unauthorized users may gain access to sensitive documents. This issue has been resolved in version 2.5.6, emphasizing the importance of updating to ensure data protection.",Xwiki,PDF Viewer Macro,7.5,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2024-11-13T16:15:00.000Z,0
CVE-2024-52298,https://securityvulnerability.io/vulnerability/CVE-2024-52298,Access Control Vulnerability in PDF Viewer Macro for XWiki by XWiki SAS,"The macro-pdfviewer for XWiki, which utilizes the Mozilla pdf.js library, contains a vulnerability that allows unauthorized access to protected PDF attachments through its 'Delegate my view right' feature. Attackers can exploit this flaw by providing a reference to a PDF file within the macro. If the attacker can access a page authored by a user who has permission to view the attachment, they can retrieve the URL of the protected file. Even pages that indicate 'N/A' may reveal sensitive information upon inspection of network requests, thereby exposing attachment URLs stored in JSON responses. This vulnerability compromises expected access controls and has been addressed in version 2.5.6 of the product.",Xwiki,PDF Viewer Macro,7.5,HIGH,0.0008399999933317304,false,,false,false,false,,,false,false,,2024-11-13T16:15:00.000Z,0
CVE-2024-52300,https://securityvulnerability.io/vulnerability/CVE-2024-52300,Cross-Site Scripting Vulnerability in XWiki's PDF Viewer Macro,"The macro-pdfviewer, which serves as a PDF viewer macro for XWiki leveraging Mozilla pdf.js, contains a vulnerability stemming from improper escaping of the width parameter. This flaw enables cross-site scripting (XSS) attacks; any user with the ability to edit a page can inject malicious code. When an administrator views a page containing such malicious code, the integrity, confidentiality, and availability of the entire XWiki installation can be compromised. The issue is addressed in version 2.5.6 of the product.",Xwiki,PDF Viewer Macro,9,CRITICAL,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-11-13T16:15:00.000Z,0
CVE-2024-43401,https://securityvulnerability.io/vulnerability/CVE-2024-43401,"In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them","The XWiki Platform vulnerability allows a non-privileged user to exploit a flaw in the WYSIWYG editor. By tricking a user with elevated rights into editing content with a malicious payload, the elevated user inadvertently executes potentially dangerous code without prior warning. This flaw can lead to significant security issues, as it compromises the integrity of the content and the trust users place in the platform. The vulnerability has been addressed and patched in version 15.10RC1.",Xwiki,Xwiki-platform,8,HIGH,0.0010100000072270632,false,,false,false,false,,,false,false,,2024-08-19T17:15:00.000Z,0
CVE-2024-37901,https://securityvulnerability.io/vulnerability/CVE-2024-37901,XWiki Platform Run-time Code Execution Vulnerability,"The XWiki Platform, a widely-used generic wiki platform, is susceptible to a significant security flaw that enables remote code execution. This vulnerability arises when a user with edit permissions on any page incorporates specific instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` into their profile or any page. Such actions can lead to the unauthorized execution of arbitrary code, thereby jeopardizing the confidentiality, integrity, and availability of the entire XWiki installation. Affected users must upgrade to patched versions: XWiki 14.10.21, 15.5.5, or 15.10.2 to mitigate this risk.",Xwiki,Xwiki-platform,8.8,HIGH,0.0010000000474974513,false,,false,false,false,,,false,false,,2024-07-31T15:19:36.588Z,0
CVE-2024-37899,https://securityvulnerability.io/vulnerability/CVE-2024-37899,XWiki Platform Vulnerability: Disable User Account to Execute Malicious Code,"The XWiki Platform vulnerability allows a malicious user to escalate privileges by inserting harmful code into their user profile. When an administrator disables the account, the malicious code executes with the administrator's privileges, potentially compromising sensitive data. The flaw occurs when an admin interacts with a modified user profile without proper safeguards in place. Affected users and organizations must upgrade to XWiki versions 14.10.21, 15.5.5, 15.10.6, or 16.0.0, as there are currently no workarounds available.",Xwiki,Xwiki-platform,8,HIGH,0.000699999975040555,false,,false,false,false,,,false,false,,2024-06-20T23:15:00.000Z,0
CVE-2024-31997,https://securityvulnerability.io/vulnerability/CVE-2024-31997,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform is susceptible to a significant security vulnerability that enables remote code execution through improperly handled parameters in UI extensions. Users who possess edit rights on documents—including their own profiles—can create malicious UI extensions that are executed with elevated programming rights. This flaw affects the confidentiality, integrity, and overall availability of the XWiki installation. It is crucial for users to update their systems to versions 4.10.19, 15.5.4, or 15.10-rc-1 to mitigate the risks associated with this vulnerability, as no workarounds exist.",Xwiki,Xwiki-platform,8.8,HIGH,0.0013299999991431832,false,,false,false,false,,,false,false,,2024-04-10T21:55:43.475Z,0
CVE-2024-31996,https://securityvulnerability.io/vulnerability/CVE-2024-31996,XWiki Platform Vulnerability Affects Remote Code Execution,"The XWiki Platform contains a vulnerability in its HTML escaping tool, which fails to appropriately escape the `{` character. This oversight potentially allows for XWiki syntax injection, resulting in remote code execution by an attacker. The issue exists in XWiki versions 3.0.1 and prior to 4.10.19, 15.5.4, and 15.10-rc-1. To remediate the vulnerability, users are advised to upgrade to the patched versions. Alternatively, a temporary fix involves replacing `$escapetool.html` with `$escapetool.xml` within specific XWiki documents. Notably, the panel document `Panels.PanelLayoutUpdate` has been identified as one that exposes this vulnerability, but other extensions may also be susceptible and could require attention.",Xwiki,Xwiki-commons,9.8,CRITICAL,0.0029700000304728746,false,,false,false,false,,,false,false,,2024-04-10T20:46:19.929Z,0
CVE-2024-31988,https://securityvulnerability.io/vulnerability/CVE-2024-31988,XWiki Platform Vulnerability Allows Arbitrary Remote Code Execution,"The XWiki Platform contains a vulnerability allowing for arbitrary remote code execution when the realtime editor is enabled. This issue arises when an admin user interacts with a specially crafted URL or image, enabling attackers to execute unauthorized XWiki syntax, including Groovy or Python scripts. This leads to potential compromises in the confidentiality, integrity, and availability of the entire XWiki installation. Versions prior to 14.10.19, 15.5.4, and 15.9 are impacted. Users are advised to upgrade to the patched versions or manually apply a specific code patch to mitigate the risks, although the latter may result in synchronization issues within the realtime editor.",Xwiki,Xwiki-platform,8.8,HIGH,0.000750000006519258,false,,false,false,false,,,false,false,,2024-04-10T20:40:36.954Z,0
CVE-2024-31987,https://securityvulnerability.io/vulnerability/CVE-2024-31987,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used generic wiki platform developed by XWiki SAS, is prone to a security vulnerability where a user with editing privileges can craft a custom skin with a template override. This action results in code executed under programming rights, creating a pathway for unauthorized remote code execution. The affected versions include those prior to 14.10.19, 15.5.4, and 15.10-rc-1. XWiki SAS has provided patches in these later releases to mitigate the issue, with no effective workarounds available except for an immediate upgrade.",Xwiki,Xwiki-platform,8.8,HIGH,0.0013299999991431832,false,,false,false,false,,,false,false,,2024-04-10T20:32:39.317Z,0
CVE-2024-31986,https://securityvulnerability.io/vulnerability/CVE-2024-31986,Arbitrary Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used wiki system, is affected by a vulnerability that enables arbitrary code execution on the server. This occurs when a specially crafted document reference and an 'XWiki.SchedulerJobClass' XObject is introduced. The exploit becomes active when an administrator accesses the scheduler page or when this page is referenced, such as through an image within a comment on any wiki page. The issue has been resolved in XWiki versions 14.10.19, 15.5.5, and 15.9. Users are advised to apply a manual patch if updating is not feasible, specifically by modifying the 'Scheduler.WebHome' page to mitigate potential risks.",Xwiki,Xwiki-platform,8.8,HIGH,0.0006399999838322401,false,,false,false,false,,,false,false,,2024-04-10T20:27:29.600Z,0
CVE-2024-31984,https://securityvulnerability.io/vulnerability/CVE-2024-31984,XWiki Vulnerability Allows Remote Code Execution,"A vulnerability in XWiki Platform allows for remote code execution due to improperly managed document titles. Through this oversight, an attacker can craft a title to exploit the Solr-based search functionality, enabling arbitrary Groovy code execution. This issue affects all users with the ability to modify space titles, risking the confidentiality, integrity, and availability of XWiki installations. It has been resolved in updates 14.10.20, 15.5.4, and 15.10 RC1, with recommendations for immediate application of patches to ensure system security.",Xwiki,Xwiki-platform,8.8,HIGH,0.002469999948516488,false,,false,false,false,,,false,false,,2024-04-10T19:53:50.690Z,0
CVE-2024-31983,https://securityvulnerability.io/vulnerability/CVE-2024-31983,XWiki Platform Vulnerability: Remote Code Execution Exploit,"A vulnerability exists in the XWiki Platform that affects multilingual wikis, wherein translations can be edited by any user possessing edit rights. This flaw circumvents the permissions that are typically necessary for the authorship of translations, particularly script rights for user-scope translations and administrative rights for wiki-level translations. This vulnerability can potentially allow malicious users to execute arbitrary code if the translation values are not properly escaped. Versions 4.3-milestone-2 and 4.10.0 up to 4.10.19, along with versions 15.5.0 to 15.5.3 and 15.10-rc-1, are impacted. Users are advised to apply the available security patches in versions 14.10.20, 15.5.4, and 15.10RC1, or restrict edit rights on documents containing translations as a precautionary measure.",Xwiki,Xwiki-platform,8.8,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2024-04-10T19:44:48.503Z,0
CVE-2024-31982,https://securityvulnerability.io/vulnerability/CVE-2024-31982,Remote Code Execution Vulnerability in XWiki Platform,"The CVE-2024-31982 vulnerability is a remote code execution vulnerability in the XWiki Platform that allows for remote code execution through the database search feature. This can be accessed by any visitor of a public wiki or closed wiki, impacting the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability has been patched in versions 14.10.20, 15.5.4, and 15.10RC1 of XWiki. It is recommended to apply the patch manually or delete the page ""Main.DatabaseSearch"" if database search is not explicitly used by users.",Xwiki,Xwiki-platform,9.8,CRITICAL,0.12996000051498413,false,,true,false,true,2024-06-23T06:20:33.000Z,true,false,false,,2024-04-10T19:38:01.879Z,0
CVE-2024-31981,https://securityvulnerability.io/vulnerability/CVE-2024-31981,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform is a widely used generic wiki software that has a vulnerability allowing remote code execution through vulnerable PDF export templates. This issue affects versions starting from 3.0.1 up to and including versions 4.10.19, 15.5.0, 15.5.3, and 15.10-rc-1. To mitigate this vulnerability, users are urged to upgrade to the patched versions—specifically 14.10.20, 15.5.4, or 15.10-rc-1. In scenarios where PDF templates are not utilized, administrators can create a document named `XWiki.PDFClass`, block its editing, and ensure the absence of a `style` attribute as an additional precaution. However, this workaround is not recommended as the primary solution is to upgrade to secure versions.",Xwiki,Xwiki-platform,8.8,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2024-04-10T19:22:57.494Z,0
CVE-2024-31465,https://securityvulnerability.io/vulnerability/CVE-2024-31465,XWiki Platform Vulnerability: Code Execution via User Profile,"A vulnerability in the XWiki Platform allows any user with edit permissions to perform arbitrary code execution on the server. This occurs when an object of type `XWiki.SearchSuggestSourceClass` is added to a user profile or any page, leading to severe security implications regarding the confidentiality, integrity, and availability of the XWiki installation. This issue affects versions from 5.0-rc-1 up to 14.10.19, as well as 15.5.0 to 15.5.3 and version 15.9-rc-1. Users are encouraged to upgrade to versions 14.10.20, 15.5.4, or 15.10 RC1, or apply the recommended patch to the `XWiki.SearchSuggestSourceSheet` document to mitigate this vulnerability.",Xwiki,Xwiki-platform,8.8,HIGH,0.0011599999852478504,false,,false,false,false,,,false,false,,2024-04-10T19:12:35.517Z,0
CVE-2024-21651,https://securityvulnerability.io/vulnerability/CVE-2024-21651,XWiki Denial of Service attack through attachments,"The XWiki Platform is a versatile wiki application that provides runtime services for various built applications. A vulnerability exists within the platform due to improper handling of file attachments. Specifically, a user with the ability to attach files can exploit this weakness by submitting a specially crafted TAR file that manipulates file modification times headers. When this malformed file is parsed by the Tika library, it can lead to excessive CPU consumption, resulting in denial of service for users. This issue has been addressed in recent updates, including XWiki versions 14.10.18, 15.5.3, and 15.8 RC1, making it essential for users to upgrade to these patched versions to ensure system integrity.",xwiki,xwiki-platform,7.5,HIGH,0.0006399999838322401,false,,false,false,false,,,false,false,,2024-01-09T00:15:00.000Z,0
CVE-2024-21648,https://securityvulnerability.io/vulnerability/CVE-2024-21648,XWiki has no right protection on rollback action,"The XWiki Platform exhibits a vulnerability related to access control, specifically within its rollback functionality. This flaw permits a user to revert to an earlier version of a page without adequate permission checks, potentially allowing access to rights that have been revoked. This issue has been addressed in the latest versions of the platform, which enforce proper role validation before permitting rollback actions. Users are advised to upgrade to versions 14.10.17, 15.5.3, or 15.8-rc-1 to mitigate associated security risks.",xwiki,xwiki-platform,8,HIGH,0.0012100000167265534,false,,false,false,false,,,false,false,,2024-01-09T00:15:00.000Z,0
CVE-2024-21650,https://securityvulnerability.io/vulnerability/CVE-2024-21650,XWiki Platform vulnerable to Remote Code Execution (RCE) attack,"The XWiki Platform is susceptible to a remote code execution vulnerability due to improper handling of user input in the user registration feature. This vulnerability allows attackers to inject malicious payloads via the 'first name' or 'last name' fields during the registration process. The risk is significant for installations that permit guest user registrations, as an attacker could potentially execute arbitrary code on the server. This vulnerability has been addressed in the subsequent releases: XWiki 14.10.17, 15.5.3, and 15.8 RC1, urging users to update their installations to mitigate security risks.",xwiki,xwiki-platform,10,CRITICAL,0.8582199811935425,false,,false,false,false,,,false,false,,2024-01-08T16:15:00.000Z,0
CVE-2023-50732,https://securityvulnerability.io/vulnerability/CVE-2023-50732,Velocity execution without script right through tree macro,"The XWiki Platform contains a vulnerability that allows unauthorized users to execute Velocity scripts without having the appropriate script rights. This can be accomplished through traversing the document tree, possibly leading to unwanted actions or data exposure within the application. Users are strongly advised to upgrade to XWiki version 14.10.7 or 15.2RC1 to mitigate this risk.",xwiki,xwiki-platform,8.3,HIGH,0.000859999970998615,false,,false,false,false,,,false,false,,2023-12-21T20:15:00.000Z,0