Maven package
org.xwiki.platform/xwiki-platform-rest-server
pkg:maven/org.xwiki.platform/xwiki-platform-rest-server
Vulnerabilities (10)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-66473 | — | < 16.10.11 | 16.10.11 | Dec 10, 2025 | XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on | ||
| CVE-2025-52472 | Cri | — | >= 17.0.0-rc-1, < 17.4.2 | 17.4.2 | Oct 6, 2025 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The s | |
| CVE-2025-49584 | — | >= 10.9, < 16.4.7 | 16.4.7 | Jun 13, 2025 | XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, th | ||
| CVE-2025-46554 | — | >= 1.8.1, < 14.10.22 | 14.10.22 | Apr 30, 2025 | XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachmen | ||
| CVE-2025-32969 | — | >= 1.8, < 15.10.16 | 15.10.16 | Apr 23, 2025 | XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the datab | ||
| CVE-2025-29925 | — | >= 1.9M1, < 15.10.14 | 15.10.14 | Mar 19, 2025 | XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is prote | ||
| CVE-2024-45591 | — | >= 1.8.0, < 15.10.9 | 15.10.9 | Sep 10, 2024 | XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modificati | ||
| CVE-2023-37277 | — | >= 1.8, < 14.10.8 | 14.10.8 | Jul 10, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be | ||
| CVE-2023-35151 | — | >= 7.3-milestone-1, < 14.4.8 | 14.4.8 | Jun 23, 2023 | XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 1 | ||
| CVE-2022-41936 | — | >= 8.1, < 13.10.8 | 13.10.8 | Nov 22, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `mod |
- CVE-2025-66473Dec 10, 2025affected < 16.10.11fixed 16.10.11
XWiki is an open-source wiki software platform. Versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3 and 17.5.0-rc-1 through 17.6.0 contain a REST API which doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on
- affected >= 17.0.0-rc-1, < 17.4.2fixed 17.4.2
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the `orderField` parameter. The s
- CVE-2025-49584Jun 13, 2025affected >= 10.9, < 16.4.7fixed 16.4.7
XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, th
- CVE-2025-46554Apr 30, 2025affected >= 1.8.1, < 14.10.22fixed 14.10.22
XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachmen
- CVE-2025-32969Apr 23, 2025affected >= 1.8, < 15.10.16fixed 15.10.16
XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the datab
- CVE-2025-29925Mar 19, 2025affected >= 1.9M1, < 15.10.14fixed 15.10.14
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is prote
- CVE-2024-45591Sep 10, 2024affected >= 1.8.0, < 15.10.9fixed 15.10.9
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modificati
- CVE-2023-37277Jul 10, 2023affected >= 1.8, < 14.10.8fixed 14.10.8
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be
- CVE-2023-35151Jun 23, 2023affected >= 7.3-milestone-1, < 14.4.8fixed 14.4.8
XWiki Platform is a generic wiki platform. Starting in version 7.3-milestone-1 and prior to versions 14.4.8, 14.10.6, and 15.1, ny user can call a REST endpoint and obtain the obfuscated passwords, even when the mail obfuscation is activated. The issue has been patched in XWiki 1
- CVE-2022-41936Nov 22, 2022affected >= 8.1, < 13.10.8fixed 13.10.8
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `mod