XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
No CSRF protection on the password change formGHSA-v9j2-q4q5-cxh4 published
Jul 1, 2021 by surliModerate -
Remote code execution in user profiles with reset passwordGHSA-mgjw-2wrp-r535 published
Feb 9, 2022 by tmortagneHigh -
A user without PR can reset user authentication failures informationGHSA-m738-3rc4-5xv3 published
Jul 1, 2021 by surliLow -
Script injection without script or programming rights through Gadget titlesGHSA-h353-hc43-95vc published
May 18, 2021 by surliHigh -
A user without programming right can save a document which will have programming rightGHSA-f4cj-3q3h-884r published
Feb 9, 2022 by tmortagneModerate -
Users registered with email verification can self re-activate their disabled accountsGHSA-76mp-659p-rw65 published
May 18, 2021 by surliModerate -
Rating Script Service expose XWiki to SQL injectionGHSA-79rg-7mv3-jrr5 published
Mar 19, 2021 by surliHigh -
XSS Cross Site ScriptingGHSA-5c66-v29h-xjh8 published
Apr 20, 2021 by surliHigh -
It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macroGHSA-v662-xpcc-9xf6 published
Mar 11, 2021 by tmortagneHigh -
Users with SCRIPT right can access the application server instance manager and create arbitrary Java objects through $xcontext.request and $context.request bindingGHSA-5hv6-mh8q-q9v8 published
Oct 15, 2020 by tmortagneHigh
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database