cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-23025,https://securityvulnerability.io/vulnerability/CVE-2025-23025,Vulnerability in XWiki Platform's Realtime WYSIWYG Editor Allows Script Injection,"XWiki Platform features a Realtime WYSIWYG Editor which allows users with edit rights to participate in collaborative editing sessions. However, if a user with limited permissions joins these sessions, they can inadvertently gain access to scripting capabilities by exploiting scripts introduced by those with higher privileges. This vulnerability arises due to the editor being enabled by default in certain versions, raising the critical concern of unauthorized script execution. Patches are available in versions 15.10.2, 16.4.1, and 16.6.0-rc-1. To mitigate risks, users unable to update should either disable the realtime editing feature through the administrative section or uninstall the extension.",Xwiki,Xwiki-platform,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-14T18:16:00.000Z,0
CVE-2024-55879,https://securityvulnerability.io/vulnerability/CVE-2024-55879,Arbitrary Remote Code Execution Vulnerability in XWiki Platform,"XWiki Platform, a widely-used wiki software, is susceptible to an arbitrary remote code execution vulnerability that allows users with script rights to manipulate instances of `XWiki.ConfigurableClass` on any page. This flaw jeopardizes the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability impacts all versions from 2.3 up to, but not including, versions 15.10.9 and 16.3.0, which contain the necessary patch. Users are advised to upgrade their installations to mitigate the associated risks.",Xwiki,Xwiki-platform,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T19:17:38.138Z,0
CVE-2024-55877,https://securityvulnerability.io/vulnerability/CVE-2024-55877,Arbitrary Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used wiki software, is affected by a security vulnerability that allows any authenticated user to execute arbitrary remote code. This flaw arises when users incorporate instances of 'XWiki.WikiMacroClass' onto any page, which severely compromises the confidentiality, integrity, and availability of the XWiki environment. The vulnerability spans versions from 9.7-rc-1 up to but not including 15.10.11, 16.4.1, and 16.5.0. Mitigation is available through updates to the aforementioned versions or via manual patching of the page 'XWiki.XWikiSyntaxMacrosList'.",Xwiki,Xwiki-platform,10,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T19:13:43.128Z,0
CVE-2024-55876,https://securityvulnerability.io/vulnerability/CVE-2024-55876,XWiki Platform Vulnerability - Scheduler Code Execution,"XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.",Xwiki,Xwiki-platform,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T18:59:49.733Z,0
CVE-2024-55663,https://securityvulnerability.io/vulnerability/CVE-2024-55663,Unsanitized Request Parameter Vulnerability in XWiki Platform,"The XWiki Platform is vulnerable to HQL injection due to improper sanitization of request parameters in the document retrieval process. Starting from version 6.3-milestone-2 and up to versions 13.10.4, an attacker can exploit this vulnerability to manipulate document ordering and inject malicious HQL queries. Depending on the backend database, this could lead to unauthorized disclosure of sensitive information, such as password hashes, and unauthorized modifications of database entries via UPDATE, INSERT, or DELETE commands. It is crucial for users to upgrade to patched versions 13.10.5 or 14.3-rc-1 to mitigate these risks effectively.",Xwiki,Xwiki-platform,9.8,CRITICAL,0.0006799999973736703,false,,false,false,false,,,false,false,,2024-12-12T18:53:49.491Z,0
CVE-2024-55662,https://securityvulnerability.io/vulnerability/CVE-2024-55662,XWiki Platform Vulnerability: Any User Can Execute Code,"The XWiki Platform is a flexible wiki solution that, when utilizing the Extension Repository Application prior to versions 15.10.9 and 16.3.0, exposes the system to a significant vulnerability. Any authenticated user can exploit this flaw to execute arbitrary code on the server, particularly with programming rights. To mitigate this issue, instances not utilizing the Extension Repository Application can disable it as a workaround. For those who require continued use of the application, manual patches can be applied to crucial pages to rectify the vulnerability, following the guidance provided in GitHub commit 8659f17d500522bf33595e402391592a35a162e8.",Xwiki,Xwiki-platform,10,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T17:25:26.297Z,0
CVE-2024-52298,https://securityvulnerability.io/vulnerability/CVE-2024-52298,Access Control Vulnerability in PDF Viewer Macro for XWiki by XWiki SAS,"The macro-pdfviewer for XWiki, which utilizes the Mozilla pdf.js library, contains a vulnerability that allows unauthorized access to protected PDF attachments through its 'Delegate my view right' feature. Attackers can exploit this flaw by providing a reference to a PDF file within the macro. If the attacker can access a page authored by a user who has permission to view the attachment, they can retrieve the URL of the protected file. Even pages that indicate 'N/A' may reveal sensitive information upon inspection of network requests, thereby exposing attachment URLs stored in JSON responses. This vulnerability compromises expected access controls and has been addressed in version 2.5.6 of the product.",Xwiki,PDF Viewer Macro,7.5,HIGH,0.0008399999933317304,false,,false,false,false,,,false,false,,2024-11-13T16:15:00.000Z,0
CVE-2024-52299,https://securityvulnerability.io/vulnerability/CVE-2024-52299,Vulnerability in PDF Viewer Macro for XWiki Affects User Data Access,"The macro-pdfviewer is a PDF Viewer Macro for XWiki, utilizing the Mozilla pdf.js library. A vulnerability exists that allows users with view permissions on XWiki.PDFViewerService to access any attachment stored in the wiki. This security flaw arises from an incorrect computation of the key used to restrict access, specifically through improper handling of the digest stream. As a result, unauthorized users may gain access to sensitive documents. This issue has been resolved in version 2.5.6, emphasizing the importance of updating to ensure data protection.",Xwiki,PDF Viewer Macro,7.5,HIGH,0.0008699999889358878,false,,false,false,false,,,false,false,,2024-11-13T16:15:00.000Z,0
CVE-2024-52300,https://securityvulnerability.io/vulnerability/CVE-2024-52300,Cross-Site Scripting Vulnerability in XWiki's PDF Viewer Macro,"The macro-pdfviewer, which serves as a PDF viewer macro for XWiki leveraging Mozilla pdf.js, contains a vulnerability stemming from improper escaping of the width parameter. This flaw enables cross-site scripting (XSS) attacks; any user with the ability to edit a page can inject malicious code. When an administrator views a page containing such malicious code, the integrity, confidentiality, and availability of the entire XWiki installation can be compromised. The issue is addressed in version 2.5.6 of the product.",Xwiki,PDF Viewer Macro,9,CRITICAL,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-11-13T16:15:00.000Z,0
CVE-2024-46979,https://securityvulnerability.io/vulnerability/CVE-2024-46979,XWiki Platform Notification Filter Vulnerability,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. This vulnerability impacts all versions of XWiki since 13.2-rc-1. The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0RC1.  The patch consists in checking the rights of the user when sending the data. Users are advised to upgrade. It's possible to workaround the vulnerability by applying manually the patch: it's possible for an administrator to edit directly the document `XWiki.Notifications.Code.NotificationFilterPreferenceLivetableResults` to apply the same changes as in the patch. See commit c8c6545f9bde6f5aade994aa5b5903a67b5c2582.",XWiki,Xwiki,5.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-09-18T18:15:00.000Z,0
CVE-2024-46978,https://securityvulnerability.io/vulnerability/CVE-2024-46978,Notification Filters Vulnerability Affects XWiki Users,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters. Users are advised to upgrade. It's possible to fix manually the vulnerability by editing the document `XWiki.Notifications.Code.NotificationPreferenceService` to apply the changes performed in commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.",Xwiki,Xwiki-platform,6.5,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-09-18T18:15:00.000Z,0
CVE-2024-45591,https://securityvulnerability.io/vulnerability/CVE-2024-45591,XWiki Platform document history including authors of any page exposed to unauthorized actors,"XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.",Xwiki,Xwiki-platform,5.3,MEDIUM,0.0007399999885819852,false,,false,false,false,,,false,false,,2024-09-10T15:56:53.484Z,0
CVE-2024-43400,https://securityvulnerability.io/vulnerability/CVE-2024-43400,Cross-Site Scripting Vulnerability in XWiki Platform by XWiki,"The XWiki Platform, a widely-used generic wiki, is vulnerable to a cross-site scripting exploit that allows unauthorized users to create URLs embedding malicious JavaScript. By leveraging social engineering tactics, attackers can deceive users into clicking on such links, potentially compromising their data or affecting platform integrity. This vulnerability has been addressed in subsequent updates; users are encouraged to upgrade to versions 14.10.21, 15.5.5, 15.10.6, or 16.0.0 to mitigate risks.",Xwiki,Xwiki,5.4,MEDIUM,0.0005300000193528831,false,,false,false,false,,,false,false,,2024-08-19T17:15:00.000Z,0
CVE-2024-43401,https://securityvulnerability.io/vulnerability/CVE-2024-43401,"In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them","The XWiki Platform vulnerability allows a non-privileged user to exploit a flaw in the WYSIWYG editor. By tricking a user with elevated rights into editing content with a malicious payload, the elevated user inadvertently executes potentially dangerous code without prior warning. This flaw can lead to significant security issues, as it compromises the integrity of the content and the trust users place in the platform. The vulnerability has been addressed and patched in version 15.10RC1.",Xwiki,Xwiki-platform,8,HIGH,0.0010100000072270632,false,,false,false,false,,,false,false,,2024-08-19T17:15:00.000Z,0
CVE-2024-41947,https://securityvulnerability.io/vulnerability/CVE-2024-41947,"XWiki Platform Vulnerability: JavaScript Snippets Can Compromise Confidentiality, Integrity, and Availability","XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.",Xwiki,Xwiki-platform,5.4,MEDIUM,0.0017000000225380063,false,,false,false,false,,,false,false,,2024-07-31T15:24:20.271Z,0
CVE-2024-37901,https://securityvulnerability.io/vulnerability/CVE-2024-37901,XWiki Platform Run-time Code Execution Vulnerability,"The XWiki Platform, a widely-used generic wiki platform, is susceptible to a significant security flaw that enables remote code execution. This vulnerability arises when a user with edit permissions on any page incorporates specific instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` into their profile or any page. Such actions can lead to the unauthorized execution of arbitrary code, thereby jeopardizing the confidentiality, integrity, and availability of the entire XWiki installation. Affected users must upgrade to patched versions: XWiki 14.10.21, 15.5.5, or 15.10.2 to mitigate this risk.",Xwiki,Xwiki-platform,8.8,HIGH,0.0010000000474974513,false,,false,false,false,,,false,false,,2024-07-31T15:19:36.588Z,0
CVE-2024-37900,https://securityvulnerability.io/vulnerability/CVE-2024-37900,XWiki Platform Addresses Malicious Attachment Execution Vulnerability,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.",Xwiki,Xwiki-platform,4.6,MEDIUM,0.0017900000093504786,false,,false,false,false,,,false,false,,2024-07-31T15:15:31.013Z,0
CVE-2024-37898,https://securityvulnerability.io/vulnerability/CVE-2024-37898,XWiki Platform Patches Security Vulnerability,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin. As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly possible as rights of the previous version are transferred to the new page and thus the user still doesn't have view right on the page. It therefore doesn't seem to be possible to exploit this to gain any rights. This has been patched in XWiki 14.10.21, 15.5.5 and 15.10.6 by cancelling save operations by users when a new document shall be saved despite the document's existing already.",Xwiki,Xwiki-platform,4.3,MEDIUM,0.0009599999757483602,false,,false,false,false,,,false,false,,2024-07-31T15:12:22.468Z,0
CVE-2024-38369,https://securityvulnerability.io/vulnerability/CVE-2024-38369,XWiki Platform Vulnerability: Impersonation of Document Authors via 'include' Macro,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference=""targetdocument""/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.
",Xwiki,Xwiki-platform,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-06-24T16:39:37.695Z,0
CVE-2024-37899,https://securityvulnerability.io/vulnerability/CVE-2024-37899,XWiki Platform Vulnerability: Disable User Account to Execute Malicious Code,"The XWiki Platform vulnerability allows a malicious user to escalate privileges by inserting harmful code into their user profile. When an administrator disables the account, the malicious code executes with the administrator's privileges, potentially compromising sensitive data. The flaw occurs when an admin interacts with a modified user profile without proper safeguards in place. Affected users and organizations must upgrade to XWiki versions 14.10.21, 15.5.5, 15.10.6, or 16.0.0, as there are currently no workarounds available.",Xwiki,Xwiki-platform,8,HIGH,0.000699999975040555,false,,false,false,false,,,false,false,,2024-06-20T23:15:00.000Z,0
CVE-2024-31997,https://securityvulnerability.io/vulnerability/CVE-2024-31997,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform is susceptible to a significant security vulnerability that enables remote code execution through improperly handled parameters in UI extensions. Users who possess edit rights on documents—including their own profiles—can create malicious UI extensions that are executed with elevated programming rights. This flaw affects the confidentiality, integrity, and overall availability of the XWiki installation. It is crucial for users to update their systems to versions 4.10.19, 15.5.4, or 15.10-rc-1 to mitigate the risks associated with this vulnerability, as no workarounds exist.",Xwiki,Xwiki-platform,8.8,HIGH,0.0013299999991431832,false,,false,false,false,,,false,false,,2024-04-10T21:55:43.475Z,0
CVE-2024-31996,https://securityvulnerability.io/vulnerability/CVE-2024-31996,XWiki Platform Vulnerability Affects Remote Code Execution,"The XWiki Platform contains a vulnerability in its HTML escaping tool, which fails to appropriately escape the `{` character. This oversight potentially allows for XWiki syntax injection, resulting in remote code execution by an attacker. The issue exists in XWiki versions 3.0.1 and prior to 4.10.19, 15.5.4, and 15.10-rc-1. To remediate the vulnerability, users are advised to upgrade to the patched versions. Alternatively, a temporary fix involves replacing `$escapetool.html` with `$escapetool.xml` within specific XWiki documents. Notably, the panel document `Panels.PanelLayoutUpdate` has been identified as one that exposes this vulnerability, but other extensions may also be susceptible and could require attention.",Xwiki,Xwiki-commons,9.8,CRITICAL,0.0029700000304728746,false,,false,false,false,,,false,false,,2024-04-10T20:46:19.929Z,0
CVE-2024-31988,https://securityvulnerability.io/vulnerability/CVE-2024-31988,XWiki Platform Vulnerability Allows Arbitrary Remote Code Execution,"The XWiki Platform contains a vulnerability allowing for arbitrary remote code execution when the realtime editor is enabled. This issue arises when an admin user interacts with a specially crafted URL or image, enabling attackers to execute unauthorized XWiki syntax, including Groovy or Python scripts. This leads to potential compromises in the confidentiality, integrity, and availability of the entire XWiki installation. Versions prior to 14.10.19, 15.5.4, and 15.9 are impacted. Users are advised to upgrade to the patched versions or manually apply a specific code patch to mitigate the risks, although the latter may result in synchronization issues within the realtime editor.",Xwiki,Xwiki-platform,8.8,HIGH,0.000750000006519258,false,,false,false,false,,,false,false,,2024-04-10T20:40:36.954Z,0
CVE-2024-31987,https://securityvulnerability.io/vulnerability/CVE-2024-31987,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used generic wiki platform developed by XWiki SAS, is prone to a security vulnerability where a user with editing privileges can craft a custom skin with a template override. This action results in code executed under programming rights, creating a pathway for unauthorized remote code execution. The affected versions include those prior to 14.10.19, 15.5.4, and 15.10-rc-1. XWiki SAS has provided patches in these later releases to mitigate the issue, with no effective workarounds available except for an immediate upgrade.",Xwiki,Xwiki-platform,8.8,HIGH,0.0013299999991431832,false,,false,false,false,,,false,false,,2024-04-10T20:32:39.317Z,0
CVE-2024-31986,https://securityvulnerability.io/vulnerability/CVE-2024-31986,Arbitrary Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used wiki system, is affected by a vulnerability that enables arbitrary code execution on the server. This occurs when a specially crafted document reference and an 'XWiki.SchedulerJobClass' XObject is introduced. The exploit becomes active when an administrator accesses the scheduler page or when this page is referenced, such as through an image within a comment on any wiki page. The issue has been resolved in XWiki versions 14.10.19, 15.5.5, and 15.9. Users are advised to apply a manual patch if updating is not feasible, specifically by modifying the 'Scheduler.WebHome' page to mitigate potential risks.",Xwiki,Xwiki-platform,8.8,HIGH,0.0006399999838322401,false,,false,false,false,,,false,false,,2024-04-10T20:27:29.600Z,0