XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HXwiki
APPXwiki2.3< 13.10.1114.0 – 14.4.7 (bez)14.5 – 14.10 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
References
Related vulnerabilities
CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam produkt
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
CVE-2025-55748CRITICAL9.3PL ✓ten sam produkt
XWiki Platform — path traversal umożliwia odczyt plików konfiguracyjnych
CVE-2025-55747CRITICAL9.3PL ✓ten sam produkt
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)
CVE-2025-32429CRITICAL9.3PL ✓ten sam produkt
SQL Injection w XWiki Platform via parametr sort w getdeleteddocuments.vm
CVE-2025-53836CRITICAL9.9PL ✓ten sam produkt
XWiki Rendering: bypass trybu restricted przez zagnieżdżone makra