Security

SECURITY.md

Security Policy

XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.

XSS in the deleted attachments list
GHSA-gjmq-x5x7-wc36 published Sep 8, 2022 by surli

High
Cross-Site Request Forgery (CSRF) for actions on tags in XWiki
GHSA-fxwr-4vq9-9vhj published Sep 8, 2022 by surli

Moderate
XSS in the attachment history
GHSA-mxf2-4r22-5hq9 published Sep 8, 2022 by surli

High
Unauthorized User Registration Through the Distribution Wizard in org.xwiki.platform:xwiki-platform-web-templates
GHSA-h5j3-5x63-p8jv published Sep 8, 2022 by surli

High
Authentication Bypass Using the Login Action in org.xwiki.platform:xwiki-platform-oldcore
GHSA-8h89-34w2-jpfm published Sep 8, 2022 by surli

High
Missing Authorization and Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-web-templates
GHSA-599v-w48h-rjrm published Sep 8, 2022 by surli

High
Improper Authorization check for inactive users in org.xwiki.platform:xwiki-platform-oldcore
GHSA-jgc8-gvcx-9vfx published Sep 8, 2022 by surli

High
It's possible to overwrite the security rules of a page with a final page having the same reference
GHSA-gg53-wf5x-r3r6 published Sep 7, 2022 by surli

High
Improper Privilege Management in XWiki resolving groups in XWiki.WebHome
GHSA-g4h6-qp44-wqvx published Sep 7, 2022 by surli

High
It's possible to access a classloader file out of the "templates/" prefix through template manager
GHSA-9qrp-h7fw-42hg published May 25, 2022 by surli

Low

Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database