pkg:Maven/org.xwiki.platform:xwiki-platform-oldcore

45 total CVEsCRITICAL11HIGH11MEDIUM14LOW1

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.9CVE-2024-31987XWiki Platform remote code execution from account via custom skins support
    >= 6.4-milestone-1, < 14.10.19
  • CRITICAL9.9CVE-2024-31981XWiki Platform: Privilege escalation (PR) from user registration through PDFClass
    >= 3.0.1, < 14.10.20
  • CRITICAL9.9CVE-2023-36468Upgrading doesn't prevent exploiting vulnerable XWiki documents
    >= 2.0, < 14.10.7
  • CRITICAL9.9CVE-2023-29526XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode
    >= 10.11.1, < 13.10.11
  • CRITICAL9.9CVE-2023-29523XWiki Platform vulnerable to code injection in display method used in user profiles
    >= 3.3-milestone-1, < 13.10.11
  • CRITICAL9.9CVE-2023-26474XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
    >= 13.10, < 13.10.11
  • CRITICAL9.6CVE-2023-46242XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token
    >= 1.0, < 14.10.7
  • CRITICAL9.6CVE-2021-29459XSS Cross Site Scripting
    from 0, < 12.6.3
  • CRITICAL9.1CVE-2023-29507org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
    >= 14.5, < 14.10
  • CRITICAL9.0CVE-2024-43400XWiki Platform allows XSS through XClass name in string properties
    >= 1.1.2, < 14.10.21
  • CRITICAL9.0CVE-2024-37899XWiki Platform allows remote code execution from user account
    >= 13.4.7, < 14.10.21
  • HIGH8.8CVE-2023-46243XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action
    >= 15.0, < 15.2-rc-1
  • HIGH8.5CVE-2020-15252RCE in XWiki
    from 0, < 11.10.6
  • HIGH8.4CVE-2023-35157XWiki Platform vulnerable to reflected cross-site scripting via delattachment action
    >= 3.2-milestone-3, < 14.10.6
  • HIGH8.2CVE-2026-40104XWiki's REST APIs can list all pages/spaces, leading to unavailability
    >= 1.8-rc-1, < 16.10.16
  • HIGH8.1CVE-2022-31166XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
    >= 11.3.7, < 13.10.4
  • HIGH8.1CVE-2022-36090XWiki Platform Improper Authorization check for inactive users
    >= 1.1, < 13.10.5
  • HIGH8.0CVE-2024-21648XWiki has no right protection on rollback action
    >= 1.0, < 14.10.17
  • HIGH8.0CVE-2023-40572XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action
    >= 3.2-milestone-3, < 14.10.9
  • HIGH7.5CVE-2023-29208org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
    >= 1.2-milestone-1, < 13.10.11
  • HIGH7.5CVE-2022-41932Creation of new database tables through login form on PostgreSQL
    from 0, < 13.10.8
  • HIGH7.5CVE-2022-36092XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
    from 0, < 13.10.4
  • MEDIUM6.8CVE-2024-31464XWiki Platform: Password hash might be leaked by diff once the xobject holding them is deleted
    >= 5.0-rc-1, < 14.10.19
  • MEDIUM6.6CVE-2020-15171Users with SCRIPT right can execute arbitrary code in XWiki
    from 0, < 11.10.5
  • MEDIUM6.5CVE-2023-37911org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents
    >= 9.4-rc-1, < 14.10.8
  • MEDIUM6.5CVE-2022-23617Missing authorization in xwiki-platform
    from 0, < 12.10.6
  • MEDIUM6.3CVE-2023-41046Velocity execution without script right through VelocityCode and VelocityWiki property
    >= 7.2, < 14.10.10
  • MEDIUM5.7CVE-2023-26470XWiki Platform subject to Uncontrolled Resource Consumption
    from 0, < 14.0-rc-1
  • MEDIUM5.5CVE-2022-23621Missing authorization in xwiki-platform
    >= 13.6-rc-1, < 13.7-rc-1
  • MEDIUM5.4CVE-2022-23615Partial authorization bypass on document save in xwiki-platform
    >= 1.0, < 13.0
  • MEDIUM4.9CVE-2022-41929Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
    >= 11.7RC1, < 13.10.7
  • MEDIUM4.7CVE-2023-32068org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability
    from 0, < 14.10.4
  • MEDIUM4.7CVE-2023-29204org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability
    >= 6.0-rc-1, < 13.10.10
  • MEDIUM4.7CVE-2022-23618URL Redirection to Untrusted Site ('Open Redirect')
    from 0, < 12.10.7
  • MEDIUM4.3CVE-2024-37898XWiki Platform vulnerable to document deletion and overwrite from edit
    >= 13.10.4, < 14.10.21
  • MEDIUM4.1CVE-2021-43841Cross-site Scripting by SVG upload in xwiki-platform
    from 0, < 12.10.6
  • LOW2.7CVE-2022-29253Path Traversal in XWiki Platform
    >= 8.3-rc-1, < 13.10.3
  • CVE-2026-33229XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
    >= 17.0.0-rc-1, < 17.4.8
  • CVE-2025-54125XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
    >= 1.1, < 16.4.7
  • CVE-2025-54124XWiki leaks password hashes and other accessible password properties
    >= 9.8-rc-1, < 16.4.7
  • CVE-2025-54385XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API
    >= 1.0, < 16.10.6
  • CVE-2025-49586XWiki allows remote code execution through preview of XClass changes in AWM editor
    >= 7.2-milestone-2, < 16.4.7
  • CVE-2024-56158XWiki allows SQL injection in query endpoint of REST API with Oracle
    >= 1.0, < 15.10.16
  • CVE-2025-32968org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API
    >= 1.6-milestone-1, < 15.10.16
  • CVE-2006-7223XWiki Remote Code Execution
    >= 0.9.543, < 1.0B1