XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
Remote code execution through the section parameter in Administration as guestGHSA-62pr-qqf7-hh89 published
Nov 6, 2023 by michituxCritical -
RXSS through revision parameter in content menuGHSA-j9rc-w3wv-fv62 published
Nov 6, 2023 by michituxCritical -
XSS from account in the create page form via template providerGHSA-gr82-8fj2-ggc3 published
Oct 25, 2023 by michituxCritical -
XSS with edit right in the create document form for existing pagesGHSA-93gh-jgjj-r929 published
Oct 25, 2023 by michituxCritical -
Reflected XSS in the create document form if name validation is enabledGHSA-qcj9-gcpg-4w2w published
Oct 25, 2023 by michituxCritical -
Users can be tricked to execute scripts as the create page action doesn't display the page's titleGHSA-ghf6-2f42-mjh9 published
Oct 25, 2023 by michituxCritical -
Velocity execution without script right through VelocityCode and VelocityWiki propertyGHSA-m5m2-h6h9-p2c8 published
Sep 1, 2023 by michituxModerate -
Cookies are sent to external images in rendered diff (and server side request forgery)GHSA-7rfg-6273-f5wp published
Nov 20, 2023 by michituxCritical -
Groovy jobs check the wrong author, allowing remote code executionGHSA-8xhr-x3v8-rghj published
Aug 23, 2023 by surliCritical -
CSRF privilege escalation/RCE via the create actionGHSA-4f8m-7h83-9f6m published
Aug 23, 2023 by surliCritical
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database