pkg:Maven/org.xwiki.platform:xwiki-platform-oldcore

所有已知漏洞

• CRITICAL9.9CVE-2024-31987XWiki Platform remote code execution from account via custom skins support
  >= 6.4-milestone-1, < 14.10.19
• CRITICAL9.9CVE-2024-31981XWiki Platform: Privilege escalation (PR) from user registration through PDFClass
  >= 3.0.1, < 14.10.20
• CRITICAL9.9Upgrading doesn't prevent exploiting vulnerable XWiki documents
  >= 2.0, < 14.10.7
• CRITICAL9.9XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode
  >= 10.11.1, < 13.10.11
• CRITICAL9.9XWiki Platform vulnerable to code injection in display method used in user profiles
  >= 3.3-milestone-1, < 13.10.11
• CRITICAL9.9XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
  >= 13.10, < 13.10.11
• CRITICAL9.6XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token
  >= 1.0, < 14.10.7
• CRITICAL9.6XSS Cross Site Scripting
  from 0, < 12.6.3
• CRITICAL9.1org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
  >= 14.5, < 14.10
• CRITICAL9.0XWiki Platform allows XSS through XClass name in string properties
  >= 1.1.2, < 14.10.21
• CRITICAL9.0XWiki Platform allows remote code execution from user account
  >= 13.4.7, < 14.10.21
• HIGH8.8XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action
  >= 15.0, < 15.2-rc-1
• HIGH8.5RCE in XWiki
  from 0, < 11.10.6
• HIGH8.4XWiki Platform vulnerable to reflected cross-site scripting via delattachment action
  >= 3.2-milestone-3, < 14.10.6
• HIGH8.2XWiki's REST APIs can list all pages/spaces, leading to unavailability
  >= 1.8-rc-1, < 16.10.16
• HIGH8.1XWiki.WebHome vulnerable to Improper Privilege Management in XWiki resolving groups
  >= 11.3.7, < 13.10.4
• HIGH8.1XWiki Platform Improper Authorization check for inactive users
  >= 1.1, < 13.10.5
• HIGH8.0XWiki has no right protection on rollback action
  >= 1.0, < 14.10.17
• HIGH8.0XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action
  >= 3.2-milestone-3, < 14.10.9
• HIGH7.5org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
  >= 1.2-milestone-1, < 13.10.11
• HIGH7.5Creation of new database tables through login form on PostgreSQL
  from 0, < 13.10.8
• HIGH7.5XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
  from 0, < 13.10.4
• MEDIUM6.8XWiki Platform: Password hash might be leaked by diff once the xobject holding them is deleted
  >= 5.0-rc-1, < 14.10.19
• MEDIUM6.6Users with SCRIPT right can execute arbitrary code in XWiki
  from 0, < 11.10.5
• MEDIUM6.5org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents
  >= 9.4-rc-1, < 14.10.8
• MEDIUM6.5Missing authorization in xwiki-platform
  from 0, < 12.10.6
• MEDIUM6.3Velocity execution without script right through VelocityCode and VelocityWiki property
  >= 7.2, < 14.10.10
• MEDIUM5.7XWiki Platform subject to Uncontrolled Resource Consumption
  from 0, < 14.0-rc-1
• MEDIUM5.5Missing authorization in xwiki-platform
  >= 13.6-rc-1, < 13.7-rc-1
• MEDIUM5.4Partial authorization bypass on document save in xwiki-platform
  >= 1.0, < 13.0
• MEDIUM4.9Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
  >= 11.7RC1, < 13.10.7
• MEDIUM4.7org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability
  from 0, < 14.10.4
• MEDIUM4.7org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability
  >= 6.0-rc-1, < 13.10.10
• MEDIUM4.7URL Redirection to Untrusted Site ('Open Redirect')
  from 0, < 12.10.7
• MEDIUM4.3XWiki Platform vulnerable to document deletion and overwrite from edit
  >= 13.10.4, < 14.10.21
• MEDIUM4.1Cross-site Scripting by SVG upload in xwiki-platform
  from 0, < 12.10.6
• LOW2.7Path Traversal in XWiki Platform
  >= 8.3-rc-1, < 13.10.3
• —XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
  >= 17.0.0-rc-1, < 17.4.8
• —XWiki exposes passwords and emails stored in fields not named password/email in xml.vm
  >= 1.1, < 16.4.7
• —XWiki leaks password hashes and other accessible password properties
  >= 9.8-rc-1, < 16.4.7
• —XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API
  >= 1.0, < 16.10.6
• —XWiki allows remote code execution through preview of XClass changes in AWM editor
  >= 7.2-milestone-2, < 16.4.7
• —XWiki allows SQL injection in query endpoint of REST API with Oracle
  >= 1.0, < 15.10.16
• —org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API
  >= 1.6-milestone-1, < 15.10.16
• —XWiki Remote Code Execution
  >= 0.9.543, < 1.0B1