Maven package
org.xwiki.platform/xwiki-platform-administration-ui
pkg:maven/org.xwiki.platform/xwiki-platform-administration-ui
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-55879 | — | >= 2.3, < 15.10.9 | 15.10.9 | Dec 12, 2024 | XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, in | ||
| CVE-2024-21650 | — | >= 2.2, < 14.10.17 | 14.10.17 | Jan 8, 2024 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting maliciou | ||
| CVE-2023-50723 | — | >= 2.3, < 14.10.15 | 14.10.15 | Dec 15, 2023 | XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying se | ||
| CVE-2023-50722 | — | >= 2.3, < 14.10.15 | 14.10.15 | Dec 15, 2023 | XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed throug | ||
| CVE-2023-46731 | — | < 14.10.14 | 14.10.14 | Nov 6, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document | ||
| CVE-2023-29514 | — | >= 4.2-milestone-1, < 13.10.11 | 13.10.11 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has bee | ||
| CVE-2023-29510 | — | >= 4.3-milestone-2, < 14.10.2 | 14.10.2 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in | ||
| CVE-2023-29511 | — | >= 1.5M2, < 13.10.11 | 13.10.11 | Apr 16, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation | ||
| CVE-2022-23616 | — | >= 3.1-milestone-1, < 13.1RC1 | 13.1RC1 | Feb 9, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset passwor | ||
| CVE-2021-32732 | — | < 12.10.5 | 12.10.5 | Feb 4, 2022 | ### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to p | ||
| CVE-2021-32730 | — | < 12.10.5 | 12.10.5 | Jul 1, 2021 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an adm |
- CVE-2024-55879Dec 12, 2024affected >= 2.3, < 15.10.9fixed 15.10.9
XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, in
- CVE-2024-21650Jan 8, 2024affected >= 2.2, < 14.10.17fixed 14.10.17
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting maliciou
- CVE-2023-50723Dec 15, 2023affected >= 2.3, < 14.10.15fixed 14.10.15
XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying se
- CVE-2023-50722Dec 15, 2023affected >= 2.3, < 14.10.15fixed 14.10.15
XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed throug
- CVE-2023-46731Nov 6, 2023affected < 14.10.14fixed 14.10.14
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document
- CVE-2023-29514Apr 18, 2023affected >= 4.2-milestone-1, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has bee
- CVE-2023-29510Apr 18, 2023affected >= 4.3-milestone-2, < 14.10.2fixed 14.10.2
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in
- CVE-2023-29511Apr 16, 2023affected >= 1.5M2, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation
- CVE-2022-23616Feb 9, 2022affected >= 3.1-milestone-1, < 13.1RC1fixed 13.1RC1
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset passwor
- CVE-2021-32732Feb 4, 2022affected < 12.10.5fixed 12.10.5
### Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which username(s) is actually tied to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to p
- CVE-2021-32730Jul 1, 2021affected < 12.10.5fixed 12.10.5
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A cross-site request forgery vulnerability exists in versions prior to 12.10.5, and in versions 13.0 through 13.1. It's possible for forge an URL that, when accessed by an adm