cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-23025,https://securityvulnerability.io/vulnerability/CVE-2025-23025,Vulnerability in XWiki Platform's Realtime WYSIWYG Editor Allows Script Injection,"XWiki Platform features a Realtime WYSIWYG Editor which allows users with edit rights to participate in collaborative editing sessions. However, if a user with limited permissions joins these sessions, they can inadvertently gain access to scripting capabilities by exploiting scripts introduced by those with higher privileges. This vulnerability arises due to the editor being enabled by default in certain versions, raising the critical concern of unauthorized script execution. Patches are available in versions 15.10.2, 16.4.1, and 16.6.0-rc-1. To mitigate risks, users unable to update should either disable the realtime editing feature through the administrative section or uninstall the extension.",Xwiki,Xwiki-platform,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,false,false,false,,2025-01-14T18:16:00.000Z,0
CVE-2024-55879,https://securityvulnerability.io/vulnerability/CVE-2024-55879,Arbitrary Remote Code Execution Vulnerability in XWiki Platform,"XWiki Platform, a widely-used wiki software, is susceptible to an arbitrary remote code execution vulnerability that allows users with script rights to manipulate instances of `XWiki.ConfigurableClass` on any page. This flaw jeopardizes the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability impacts all versions from 2.3 up to, but not including, versions 15.10.9 and 16.3.0, which contain the necessary patch. Users are advised to upgrade their installations to mitigate the associated risks.",Xwiki,Xwiki-platform,9.1,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T19:17:38.138Z,0
CVE-2024-55877,https://securityvulnerability.io/vulnerability/CVE-2024-55877,Arbitrary Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used wiki software, is affected by a security vulnerability that allows any authenticated user to execute arbitrary remote code. This flaw arises when users incorporate instances of 'XWiki.WikiMacroClass' onto any page, which severely compromises the confidentiality, integrity, and availability of the XWiki environment. The vulnerability spans versions from 9.7-rc-1 up to but not including 15.10.11, 16.4.1, and 16.5.0. Mitigation is available through updates to the aforementioned versions or via manual patching of the page 'XWiki.XWikiSyntaxMacrosList'.",Xwiki,Xwiki-platform,10,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T19:13:43.128Z,0
CVE-2024-55876,https://securityvulnerability.io/vulnerability/CVE-2024-55876,XWiki Platform Vulnerability - Scheduler Code Execution,"XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.",Xwiki,Xwiki-platform,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T18:59:49.733Z,0
CVE-2024-55663,https://securityvulnerability.io/vulnerability/CVE-2024-55663,Unsanitized Request Parameter Vulnerability in XWiki Platform,"The XWiki Platform is vulnerable to HQL injection due to improper sanitization of request parameters in the document retrieval process. Starting from version 6.3-milestone-2 and up to versions 13.10.4, an attacker can exploit this vulnerability to manipulate document ordering and inject malicious HQL queries. Depending on the backend database, this could lead to unauthorized disclosure of sensitive information, such as password hashes, and unauthorized modifications of database entries via UPDATE, INSERT, or DELETE commands. It is crucial for users to upgrade to patched versions 13.10.5 or 14.3-rc-1 to mitigate these risks effectively.",Xwiki,Xwiki-platform,9.8,CRITICAL,0.0006799999973736703,false,,false,false,false,,,false,false,,2024-12-12T18:53:49.491Z,0
CVE-2024-55662,https://securityvulnerability.io/vulnerability/CVE-2024-55662,XWiki Platform Vulnerability: Any User Can Execute Code,"The XWiki Platform is a flexible wiki solution that, when utilizing the Extension Repository Application prior to versions 15.10.9 and 16.3.0, exposes the system to a significant vulnerability. Any authenticated user can exploit this flaw to execute arbitrary code on the server, particularly with programming rights. To mitigate this issue, instances not utilizing the Extension Repository Application can disable it as a workaround. For those who require continued use of the application, manual patches can be applied to crucial pages to rectify the vulnerability, following the guidance provided in GitHub commit 8659f17d500522bf33595e402391592a35a162e8.",Xwiki,Xwiki-platform,10,CRITICAL,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-12-12T17:25:26.297Z,0
CVE-2024-46978,https://securityvulnerability.io/vulnerability/CVE-2024-46978,Notification Filters Vulnerability Affects XWiki Users,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. The patch consists in checking properly the rights of the user before performing any action on the filters. Users are advised to upgrade. It's possible to fix manually the vulnerability by editing the document `XWiki.Notifications.Code.NotificationPreferenceService` to apply the changes performed in commit e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4.",Xwiki,Xwiki-platform,6.5,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-09-18T18:15:00.000Z,0
CVE-2024-45591,https://securityvulnerability.io/vulnerability/CVE-2024-45591,XWiki Platform document history including authors of any page exposed to unauthorized actors,"XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. This has been patched in XWiki 15.10.9 and XWiki 16.3.0RC1.",Xwiki,Xwiki-platform,5.3,MEDIUM,0.0007399999885819852,false,,false,false,false,,,false,false,,2024-09-10T15:56:53.484Z,0
CVE-2024-43401,https://securityvulnerability.io/vulnerability/CVE-2024-43401,"In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them","The XWiki Platform vulnerability allows a non-privileged user to exploit a flaw in the WYSIWYG editor. By tricking a user with elevated rights into editing content with a malicious payload, the elevated user inadvertently executes potentially dangerous code without prior warning. This flaw can lead to significant security issues, as it compromises the integrity of the content and the trust users place in the platform. The vulnerability has been addressed and patched in version 15.10RC1.",Xwiki,Xwiki-platform,8,HIGH,0.0010100000072270632,false,,false,false,false,,,false,false,,2024-08-19T17:15:00.000Z,0
CVE-2024-41947,https://securityvulnerability.io/vulnerability/CVE-2024-41947,"XWiki Platform Vulnerability: JavaScript Snippets Can Compromise Confidentiality, Integrity, and Availability","XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1.",Xwiki,Xwiki-platform,5.4,MEDIUM,0.0017000000225380063,false,,false,false,false,,,false,false,,2024-07-31T15:24:20.271Z,0
CVE-2024-37901,https://securityvulnerability.io/vulnerability/CVE-2024-37901,XWiki Platform Run-time Code Execution Vulnerability,"The XWiki Platform, a widely-used generic wiki platform, is susceptible to a significant security flaw that enables remote code execution. This vulnerability arises when a user with edit permissions on any page incorporates specific instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` into their profile or any page. Such actions can lead to the unauthorized execution of arbitrary code, thereby jeopardizing the confidentiality, integrity, and availability of the entire XWiki installation. Affected users must upgrade to patched versions: XWiki 14.10.21, 15.5.5, or 15.10.2 to mitigate this risk.",Xwiki,Xwiki-platform,8.8,HIGH,0.0010000000474974513,false,,false,false,false,,,false,false,,2024-07-31T15:19:36.588Z,0
CVE-2024-37900,https://securityvulnerability.io/vulnerability/CVE-2024-37900,XWiki Platform Addresses Malicious Attachment Execution Vulnerability,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.",Xwiki,Xwiki-platform,4.6,MEDIUM,0.0017900000093504786,false,,false,false,false,,,false,false,,2024-07-31T15:15:31.013Z,0
CVE-2024-37898,https://securityvulnerability.io/vulnerability/CVE-2024-37898,XWiki Platform Patches Security Vulnerability,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin. As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly possible as rights of the previous version are transferred to the new page and thus the user still doesn't have view right on the page. It therefore doesn't seem to be possible to exploit this to gain any rights. This has been patched in XWiki 14.10.21, 15.5.5 and 15.10.6 by cancelling save operations by users when a new document shall be saved despite the document's existing already.",Xwiki,Xwiki-platform,4.3,MEDIUM,0.0009599999757483602,false,,false,false,false,,,false,false,,2024-07-31T15:12:22.468Z,0
CVE-2024-38369,https://securityvulnerability.io/vulnerability/CVE-2024-38369,XWiki Platform Vulnerability: Impersonation of Document Authors via 'include' Macro,"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference=""targetdocument""/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe.
",Xwiki,Xwiki-platform,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-06-24T16:39:37.695Z,0
CVE-2024-37899,https://securityvulnerability.io/vulnerability/CVE-2024-37899,XWiki Platform Vulnerability: Disable User Account to Execute Malicious Code,"The XWiki Platform vulnerability allows a malicious user to escalate privileges by inserting harmful code into their user profile. When an administrator disables the account, the malicious code executes with the administrator's privileges, potentially compromising sensitive data. The flaw occurs when an admin interacts with a modified user profile without proper safeguards in place. Affected users and organizations must upgrade to XWiki versions 14.10.21, 15.5.5, 15.10.6, or 16.0.0, as there are currently no workarounds available.",Xwiki,Xwiki-platform,8,HIGH,0.000699999975040555,false,,false,false,false,,,false,false,,2024-06-20T23:15:00.000Z,0
CVE-2024-31997,https://securityvulnerability.io/vulnerability/CVE-2024-31997,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform is susceptible to a significant security vulnerability that enables remote code execution through improperly handled parameters in UI extensions. Users who possess edit rights on documents—including their own profiles—can create malicious UI extensions that are executed with elevated programming rights. This flaw affects the confidentiality, integrity, and overall availability of the XWiki installation. It is crucial for users to update their systems to versions 4.10.19, 15.5.4, or 15.10-rc-1 to mitigate the risks associated with this vulnerability, as no workarounds exist.",Xwiki,Xwiki-platform,8.8,HIGH,0.0013299999991431832,false,,false,false,false,,,false,false,,2024-04-10T21:55:43.475Z,0
CVE-2024-31988,https://securityvulnerability.io/vulnerability/CVE-2024-31988,XWiki Platform Vulnerability Allows Arbitrary Remote Code Execution,"The XWiki Platform contains a vulnerability allowing for arbitrary remote code execution when the realtime editor is enabled. This issue arises when an admin user interacts with a specially crafted URL or image, enabling attackers to execute unauthorized XWiki syntax, including Groovy or Python scripts. This leads to potential compromises in the confidentiality, integrity, and availability of the entire XWiki installation. Versions prior to 14.10.19, 15.5.4, and 15.9 are impacted. Users are advised to upgrade to the patched versions or manually apply a specific code patch to mitigate the risks, although the latter may result in synchronization issues within the realtime editor.",Xwiki,Xwiki-platform,8.8,HIGH,0.000750000006519258,false,,false,false,false,,,false,false,,2024-04-10T20:40:36.954Z,0
CVE-2024-31987,https://securityvulnerability.io/vulnerability/CVE-2024-31987,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used generic wiki platform developed by XWiki SAS, is prone to a security vulnerability where a user with editing privileges can craft a custom skin with a template override. This action results in code executed under programming rights, creating a pathway for unauthorized remote code execution. The affected versions include those prior to 14.10.19, 15.5.4, and 15.10-rc-1. XWiki SAS has provided patches in these later releases to mitigate the issue, with no effective workarounds available except for an immediate upgrade.",Xwiki,Xwiki-platform,8.8,HIGH,0.0013299999991431832,false,,false,false,false,,,false,false,,2024-04-10T20:32:39.317Z,0
CVE-2024-31986,https://securityvulnerability.io/vulnerability/CVE-2024-31986,Arbitrary Code Execution Vulnerability in XWiki Platform,"The XWiki Platform, a widely used wiki system, is affected by a vulnerability that enables arbitrary code execution on the server. This occurs when a specially crafted document reference and an 'XWiki.SchedulerJobClass' XObject is introduced. The exploit becomes active when an administrator accesses the scheduler page or when this page is referenced, such as through an image within a comment on any wiki page. The issue has been resolved in XWiki versions 14.10.19, 15.5.5, and 15.9. Users are advised to apply a manual patch if updating is not feasible, specifically by modifying the 'Scheduler.WebHome' page to mitigate potential risks.",Xwiki,Xwiki-platform,8.8,HIGH,0.0006399999838322401,false,,false,false,false,,,false,false,,2024-04-10T20:27:29.600Z,0
CVE-2024-31985,https://securityvulnerability.io/vulnerability/CVE-2024-31985,XWiki Platform Vulnerability: Scheduled Jobs Can Be Triggered Remotely,"XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9. As a workaround, manually apply the patch by modifying the `Scheduler.WebHome` page.",Xwiki,Xwiki-platform,5.4,MEDIUM,0.0007800000021234155,false,,false,false,false,,,false,false,,2024-04-10T20:11:53.091Z,0
CVE-2024-31984,https://securityvulnerability.io/vulnerability/CVE-2024-31984,XWiki Vulnerability Allows Remote Code Execution,"A vulnerability in XWiki Platform allows for remote code execution due to improperly managed document titles. Through this oversight, an attacker can craft a title to exploit the Solr-based search functionality, enabling arbitrary Groovy code execution. This issue affects all users with the ability to modify space titles, risking the confidentiality, integrity, and availability of XWiki installations. It has been resolved in updates 14.10.20, 15.5.4, and 15.10 RC1, with recommendations for immediate application of patches to ensure system security.",Xwiki,Xwiki-platform,8.8,HIGH,0.002469999948516488,false,,false,false,false,,,false,false,,2024-04-10T19:53:50.690Z,0
CVE-2024-31983,https://securityvulnerability.io/vulnerability/CVE-2024-31983,XWiki Platform Vulnerability: Remote Code Execution Exploit,"A vulnerability exists in the XWiki Platform that affects multilingual wikis, wherein translations can be edited by any user possessing edit rights. This flaw circumvents the permissions that are typically necessary for the authorship of translations, particularly script rights for user-scope translations and administrative rights for wiki-level translations. This vulnerability can potentially allow malicious users to execute arbitrary code if the translation values are not properly escaped. Versions 4.3-milestone-2 and 4.10.0 up to 4.10.19, along with versions 15.5.0 to 15.5.3 and 15.10-rc-1, are impacted. Users are advised to apply the available security patches in versions 14.10.20, 15.5.4, and 15.10RC1, or restrict edit rights on documents containing translations as a precautionary measure.",Xwiki,Xwiki-platform,8.8,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2024-04-10T19:44:48.503Z,0
CVE-2024-31982,https://securityvulnerability.io/vulnerability/CVE-2024-31982,Remote Code Execution Vulnerability in XWiki Platform,"The CVE-2024-31982 vulnerability is a remote code execution vulnerability in the XWiki Platform that allows for remote code execution through the database search feature. This can be accessed by any visitor of a public wiki or closed wiki, impacting the confidentiality, integrity, and availability of the entire XWiki installation. The vulnerability has been patched in versions 14.10.20, 15.5.4, and 15.10RC1 of XWiki. It is recommended to apply the patch manually or delete the page ""Main.DatabaseSearch"" if database search is not explicitly used by users.",Xwiki,Xwiki-platform,9.8,CRITICAL,0.12996000051498413,false,,true,false,true,2024-06-23T06:20:33.000Z,true,false,false,,2024-04-10T19:38:01.879Z,0
CVE-2024-31981,https://securityvulnerability.io/vulnerability/CVE-2024-31981,Remote Code Execution Vulnerability in XWiki Platform,"The XWiki Platform is a widely used generic wiki software that has a vulnerability allowing remote code execution through vulnerable PDF export templates. This issue affects versions starting from 3.0.1 up to and including versions 4.10.19, 15.5.0, 15.5.3, and 15.10-rc-1. To mitigate this vulnerability, users are urged to upgrade to the patched versions—specifically 14.10.20, 15.5.4, or 15.10-rc-1. In scenarios where PDF templates are not utilized, administrators can create a document named `XWiki.PDFClass`, block its editing, and ensure the absence of a `style` attribute as an additional precaution. However, this workaround is not recommended as the primary solution is to upgrade to secure versions.",Xwiki,Xwiki-platform,8.8,HIGH,0.0009399999980814755,false,,false,false,false,,,false,false,,2024-04-10T19:22:57.494Z,0
CVE-2024-31465,https://securityvulnerability.io/vulnerability/CVE-2024-31465,XWiki Platform Vulnerability: Code Execution via User Profile,"A vulnerability in the XWiki Platform allows any user with edit permissions to perform arbitrary code execution on the server. This occurs when an object of type `XWiki.SearchSuggestSourceClass` is added to a user profile or any page, leading to severe security implications regarding the confidentiality, integrity, and availability of the XWiki installation. This issue affects versions from 5.0-rc-1 up to 14.10.19, as well as 15.5.0 to 15.5.3 and version 15.9-rc-1. Users are encouraged to upgrade to versions 14.10.20, 15.5.4, or 15.10 RC1, or apply the recommended patch to the `XWiki.SearchSuggestSourceSheet` document to mitigate this vulnerability.",Xwiki,Xwiki-platform,8.8,HIGH,0.0011599999852478504,false,,false,false,false,,,false,false,,2024-04-10T19:12:35.517Z,0