XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
Unauthenticated user can list hidden document from multiple velocity templatesGHSA-qpp2-2mcp-2wm5 published
Apr 8, 2022 by surliModerate -
Unauthenticated user can retrieve the list of users through uorgsuggest.vmGHSA-97jg-43c9-q6pf published
Apr 8, 2022 by surliModerate -
It's possible to read any file from the WAR with just SCRIPT right through $xwiki.invokeServletAndReturnAsStringGHSA-2jhm-qp48-hv5j published
Feb 9, 2022 by tmortagneModerate -
It's possible to save pretty much anything anywhere by creating and using an SSX/JSX containing "../" in its referenceGHSA-7ph6-5cmq-xgjq published
Feb 9, 2022 by tmortagneHigh -
The "Forgot your password?" form offers too much information concerning user accountsGHSA-35fg-hjcr-j65f published
Feb 9, 2022 by tmortagneModerate -
URL Redirection to Untrusted Site ('Open Redirect')GHSA-jp55-vvmf-63mv published
Feb 9, 2022 by tmortagneModerate -
Possible XSS by SVG upload with default configurationGHSA-9jq9-c2cv-pcrj published
Feb 4, 2022 by surliModerate -
Page content is revealed to users that don't have rights if used as a template for the creation of another pageGHSA-gf7x-2j2x-7f73 published
Feb 9, 2022 by tmortagneModerate -
The Forgot Username form might provide information about user accountsGHSA-vh5c-jqfg-mhrh published
Feb 4, 2022 by surliHigh -
The reset password form reveal users email addressGHSA-h4m4-pgp4-whgm published
Jul 1, 2021 by surliModerate
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database