org.xwiki.platform:xwiki-platform-oldcore
Maven42 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.xwiki.platform:xwiki-platform-oldcorepage 1 of 1
- CVE-2006-7223NONECVSS 0.0EG 0.0✓ Fixed in 1.0B12007-09-14
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecti…
- CVE-2020-15171MEDIUMCVSS 6.6EG 6.6✓ Fixed in 12.2.12020-09-10
In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke m…
- CVE-2020-15252HIGHCVSS 8.5EG 8.5✓ Fixed in 12.52020-10-16
In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke met…
- CVE-2021-29459CRITICALCVSS 9.6EG 9.6✓ Fixed in 12.82021-04-20
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text field…
- CVE-2021-43841MEDIUMCVSS 5.4EG 5.4✓ Fixed in 13.3RC12022-02-04
XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download…
- CVE-2022-23615MEDIUMCVSS 5.4EG 5.4✓ Fixed in 13.02022-02-09
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requi…
- CVE-2022-23617MEDIUMCVSS 6.5EG 6.5✓ Fixed in 13.2-rc-12022-02-09
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a n…
- CVE-2022-23618MEDIUMCVSS 4.7EG 4.7✓ Fixed in 13.3RC12022-02-09
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xred…
- CVE-2022-23621MEDIUMCVSS 5.5EG 5.5✓ Fixed in 12.10.92022-02-09
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties…
- CVE-2022-29253LOWCVSS 2.7EG 2.7✓ Fixed in 13.10.32022-05-25
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the t…
- CVE-2022-31166HIGHCVSS 8.1EG 8.1✓ Fixed in 14.2-rc-12022-09-07
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. Mo…
- CVE-2022-36090HIGHCVSS 8.1EG 8.1✓ Fixed in 14.3-rc-12022-09-08
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the …
- CVE-2022-36092HIGHCVSS 7.5EG 7.5✓ Fixed in 14.22022-09-08
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the log…
- CVE-2022-41929MEDIUMCVSS 4.9EG 4.9✓ Fixed in 14.4.22022-11-23
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available …
- CVE-2022-41932HIGHCVSS 7.5EG 7.5✓ Fixed in 14.6-rc-12022-11-23
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login for…
- CVE-2023-26470MEDIUMCVSS 5.7EG 5.7✓ Fixed in 14.0-rc-12023-03-02
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will f…
- CVE-2023-26474CRITICALCVSS 9.9EG 9.9✓ Fixed in 14.102023-03-02
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There …
- CVE-2023-29204MEDIUMCVSS 4.7EG 4.7✓ Fixed in 14.8-rc-12023-04-15
XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting…
- CVE-2023-29208HIGHCVSS 7.5EG 7.5✓ Fixed in 14.102023-04-15
XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that…
- CVE-2023-29507CRITICALCVSS 9.1EG 9.1✓ Fixed in 14.4.72023-04-16
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent execu…
- CVE-2023-29523CRITICALCVSS 9.9EG 9.9✓ Fixed in 14.10.22023-04-19
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote …
- CVE-2023-29526CRITICALCVSS 9.9EG 9.9✓ Fixed in 14.10.32023-04-19
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and …
- CVE-2023-32068MEDIUMCVSS 4.7EG 4.7✓ Fixed in 14.10.42023-05-15
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. Th…
- CVE-2023-35157HIGHCVSS 8.4EG 8.4✓ Fixed in 15.1-rc-12023-06-23
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can b…
- CVE-2023-36468CRITICALCVSS 9.9EG 9.9✓ Fixed in 15.2-rc-12023-06-29
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is…
- CVE-2023-37911MEDIUMCVSS 6.5EG 6.5✓ Fixed in 15.3-rc-12023-10-25
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possi…
- CVE-2023-40572CRITICALCVSS 9.0EG 9.0✓ Fixed in 15.4-rc-12023-08-24
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/pro…
- CVE-2023-41046MEDIUMCVSS 6.3EG 6.3✓ Fixed in 15.4-rc-12023-09-01
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" …
- CVE-2023-46242CRITICALCVSS 9.6EG 9.6✓ Fixed in 15.2-rc-12023-11-07
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` p…
- CVE-2023-46243CRITICALCVSS 9.9EG 9.9✓ Fixed in 14.10.62023-11-07
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided…
- CVE-2024-21648HIGHCVSS 8.0EG 8.0✓ Fixed in 14.10.172024-01-09
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The rollback action is missing a right protection, a user can rollback to a previous version of the page to gain rights they don't hav…
- CVE-2024-31464MEDIUMCVSS 6.8EG 6.8✓ Fixed in 15.9-rc-12024-04-10
XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object sto…
- CVE-2024-31981CRITICALCVSS 9.9EG 9.9✓ Fixed in 15.10-rc-12024-04-10
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.20, 15.5.4, and 15.10-rc-1, remote code execution is possible via PDF export templates. This vulnerability has been patched in XWiki 14.10.20, …
- CVE-2024-31987CRITICALCVSS 9.9EG 9.9✓ Fixed in 15.10-rc-12024-04-10
XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that …
- CVE-2024-37898MEDIUMCVSS 4.3EG 4.3✓ Fixed in 15.10.62024-07-31
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content wi…
- CVE-2024-37899CRITICALCVSS 9.0EG 9.0✓ Fixed in 16.0.02024-06-20
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious c…
- CVE-2024-43400CRITICALCVSS 9.0EG 9.0✓ Fixed in 16.0.02024-08-19
vulnerable: 16.0.0-rc-1
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requi…
- CVE-2024-56158CRITICALCVSS 9.8EG 9.8✓ Fixed in 15.10.162025-06-12
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hib…
- CVE-2025-32968HIGHCVSS 8.8EG 8.8✓ Fixed in 15.10.162025-04-23
XWiki is a generic wiki platform. In versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1, it is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to …
- CVE-2025-54125MEDIUMCVSS 6.5EG 6.5✓ Fixed in 16.4.72025-08-06
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 th…
- CVE-2026-33229CRITICALCVSS 9.8EG 9.8✓ Fixed in 17.10.12026-04-08
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the V…
- CVE-2026-40104HIGHCVSS 8.2EG 8.2✓ Fixed in 17.10.12026-04-15
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xw…
Check whether org.xwiki.platform:xwiki-platform-oldcore is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.xwiki.platform:xwiki-platform-oldcore CVEs against the assets you own.
Start Free Scan →