Description
XWiki is a generic wiki platform. It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/ce855aae38eefd8ee3fc86353d51ac03d6cb7f8d
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-22734
Scores
CVSS v3
9.8
EPSS
0.0160
EPSS Percentile
81.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-oldcore
1.0 - 15.10.16Maven
xwiki/xwiki
1.0 - 15.10.16
Published
Jun 12, 2025
Tracked Since
Feb 18, 2026