XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
Users registered with email verification can self re-activate their disabled accountsGHSA-76mp-659p-rw65 published
May 18, 2021 by surliModerate -
Rating Script Service expose XWiki to SQL injectionGHSA-79rg-7mv3-jrr5 published
Mar 19, 2021 by surliHigh -
XSS Cross Site ScriptingGHSA-5c66-v29h-xjh8 published
Apr 20, 2021 by surliHigh -
It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macroGHSA-v662-xpcc-9xf6 published
Mar 11, 2021 by tmortagneHigh -
Users with SCRIPT right can access the application server instance manager and create arbitrary Java objects through $xcontext.request and $context.request bindingGHSA-5hv6-mh8q-q9v8 published
Oct 15, 2020 by tmortagneHigh -
Users with SCRIPT right can access the application server instance manager and create arbitrary Java objects through $request bindingGHSA-7qw5-pqhc-xm4g published
Sep 10, 2020 by tmortagneHigh -
Authenticated server side code execution without programming rights on User DashboardsGHSA-rmp6-jjg8-9424 published
May 12, 2020 by surliHigh
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database