XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
Users can be tricked to execute scripts as the create page action doesn't display the page's titleGHSA-ghf6-2f42-mjh9 published
Oct 25, 2023 by michituxCritical -
Velocity execution without script right through VelocityCode and VelocityWiki propertyGHSA-m5m2-h6h9-p2c8 published
Sep 1, 2023 by michituxModerate -
Cookies are sent to external images in rendered diff (and server side request forgery)GHSA-7rfg-6273-f5wp published
Nov 20, 2023 by michituxCritical -
Groovy jobs check the wrong author, allowing remote code executionGHSA-8xhr-x3v8-rghj published
Aug 23, 2023 by surliCritical -
CSRF privilege escalation/RCE via the create actionGHSA-4f8m-7h83-9f6m published
Aug 23, 2023 by surliCritical -
Data leak through deleted and re-created documentsGHSA-gh64-qxh5-4m33 published
Oct 25, 2023 by michituxModerate -
Obfuscated email addresses should not be sortedGHSA-g9w4-prf3-m25g published
Jul 27, 2023 by surliModerate -
Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheetGHSA-v2rr-xw95-wcjx published
Oct 25, 2023 by michituxCritical -
CSRF privilege escalation/RCE via the edit actionGHSA-hgpw-6p4h-j6h5 published
Nov 7, 2023 by tmortagneCritical -
Cross-site request forgery (CSRF) via the REST APIGHSA-6xxr-648m-gch6 published
Jul 10, 2023 by michituxCritical
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database