Critical severityNVD Advisory· Published Jun 12, 2025· Updated Jan 12, 2026
XWiki allows SQL injection in query endpoint of REST API with Oracle
CVE-2024-56158
Description
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 1.0, < 15.10.16 | 15.10.16 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 16.0.0-rc-1, < 16.4.7 | 16.4.7 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 16.5.0-rc-1, < 16.10.2 | 16.10.2 |
Affected products
1- Range: >= 1.0, < 15.10.16
Patches
1ce855aae38eeXWIKI-22734: Improve the standard query validator
1 file changed · +9 −8
xwiki-platform-core/xwiki-platform-oldcore/src/main/java/org/xwiki/query/hql/internal/StandardHQLCompleteStatementValidator.java+9 −8 modified@@ -318,8 +318,8 @@ private Map<String, String> getTables(PlainSelect plainSelect) private void addFromItem(FromItem item, Map<String, String> tables) { - if (item instanceof Table table) { - String tableName = table.getName(); + if (item instanceof Table) { + String tableName = ((Table) item).getName(); tables.put(item.getAlias() != null ? item.getAlias().getName() : tableName, tableName); } } @@ -341,8 +341,9 @@ private boolean isSelectItemAllowed(SelectItem selectItem, Map<String, String> t private boolean isAllowedAllTableColumns(ExpressionList parameters, Map<String, String> tables) { - return parameters.getExpressions().get(0) instanceof AllTableColumns allTableColumns - && isTableAllowed(getTableName(allTableColumns.getTable(), tables)); + Expression expression = parameters.getExpressions().get(0); + return expression instanceof AllTableColumns + && isTableAllowed(getTableName(((AllTableColumns) expression).getTable(), tables)); } private boolean isAllowedAllColumns(ExpressionList parameters, Map<String, String> tables) @@ -361,12 +362,12 @@ private boolean isSelectExpressionAllowed(Expression expression, Map<String, Str { boolean safe = false; - if (expression instanceof Column column) { - if (isColumnAllowed(column, tables)) { + if (expression instanceof Column) { + if (isColumnAllowed(((Column) expression), tables)) { safe = true; } - } else if (expression instanceof Function function) { - safe = isSelectFunctionSafe(function, tables); + } else if (expression instanceof Function) { + safe = isSelectFunctionSafe(((Function) expression), tables); } return safe;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-prwh-7838-xf82ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56158ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/ce855aae38eefd8ee3fc86353d51ac03d6cb7f8dghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-22734ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.