VYPR

Xwiki Platform

by Cryptpad

Source repositories

CVEs (230)

  • CVE-2024-38369Jun 24, 2024
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means…

  • CVE-2024-37899Jun 20, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting…

  • CVE-2024-31997Apr 10, 2024
    risk 0.00cvss epss 0.74

    XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create…

  • CVE-2024-31988Apr 10, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right.…

  • CVE-2024-31987Apr 10, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus…

  • CVE-2024-31986Apr 10, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the…

  • CVE-2024-31985Apr 10, 2024
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, it is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by…

  • CVE-2024-31984Apr 10, 2024
    risk 0.00cvss epss 0.83

    XWiki Platform is a generic wiki platform. Starting in version 7.2-rc-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, by creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows…

  • CVE-2024-31983Apr 10, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. In multilingual wikis, translations can be edited by any user who has edit right, circumventing the rights that are normally required for authoring translations (script right for user-scope translations, wiki admin for translations on…

  • CVE-2024-31982Apr 10, 2024
    risk 0.00cvss epss 0.35

    XWiki Platform is a generic wiki platform. Starting in version 2.4-milestone-1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, XWiki's database search allows remote code execution through the search text. This allows remote code execution for any visitor of a public wiki…

  • CVE-2024-31981Apr 10, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, 15.5.4 and 15.10-rc-1. If PDF templates…

  • CVE-2024-31465Apr 10, 2024
    risk 0.00cvss epss 0.76

    XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.20, 15.5.4, and 15.9-rc-1, any user with edit right on any page can execute any code on the server by adding an object of type `XWiki.SearchSuggestSourceClass` to their user…

  • CVE-2024-31464Apr 10, 2024
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that…

  • CVE-2024-21648Jan 8, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, a user can rollback to a previous version of the page to gain rights they don't have anymore. The problem has been patched…

  • CVE-2024-21651Jan 8, 2024
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of…

  • CVE-2024-21650Jan 8, 2024
    risk 0.00cvss epss 0.93

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting…

  • CVE-2023-50732Dec 21, 2023
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.

  • CVE-2023-50723Dec 15, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying…

  • CVE-2023-50722Dec 15, 2023
    risk 0.00cvss epss 0.01

    XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed…

  • CVE-2023-50721Dec 15, 2023
    risk 0.00cvss epss 0.79

    XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax…

Page 4 of 12