Maven package
org.xwiki.platform/xwiki-platform-distribution-war
pkg:maven/org.xwiki.platform/xwiki-platform-distribution-war
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-32429 | — | >= 9.4-rc-1, < 16.10.6 | 16.10.6 | Jul 24, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's inject | ||
| CVE-2024-55663 | — | >= 6.3-milestone-2, < 13.10.5 | 13.10.5 | Dec 12, 2024 | XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject | ||
| CVE-2024-21651 | — | >= 14.10, < 14.10.18 | 14.10.18 | Jan 8, 2024 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of servic | ||
| CVE-2023-32071 | — | >= 2.2-milestone-1, < 14.4.8 | 14.4.8 | May 9, 2023 | XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an atta | ||
| CVE-2023-29525 | — | >= 12.6.1, < 13.10.11 | 13.10.11 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint. |
- CVE-2025-32429Jul 24, 2025affected >= 9.4-rc-1, < 16.10.6fixed 16.10.6
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's inject
- CVE-2024-55663Dec 12, 2024affected >= 6.3-milestone-2, < 13.10.5fixed 13.10.5
XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject
- CVE-2024-21651Jan 8, 2024affected >= 14.10, < 14.10.18fixed 14.10.18
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of servic
- CVE-2023-32071May 9, 2023affected >= 2.2-milestone-1, < 14.4.8fixed 14.4.8
XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an atta
- CVE-2023-29525Apr 18, 2023affected >= 12.6.1, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint.