XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
URL Redirection to Untrusted Site ('Open Redirect')GHSA-jp55-vvmf-63mv published
Feb 9, 2022 by tmortagneModerate -
Possible XSS by SVG upload with default configurationGHSA-9jq9-c2cv-pcrj published
Feb 4, 2022 by surliModerate -
Page content is revealed to users that don't have rights if used as a template for the creation of another pageGHSA-gf7x-2j2x-7f73 published
Feb 9, 2022 by tmortagneModerate -
The Forgot Username form might provide information about user accountsGHSA-vh5c-jqfg-mhrh published
Feb 4, 2022 by surliHigh -
The reset password form reveal users email addressGHSA-h4m4-pgp4-whgm published
Jul 1, 2021 by surliModerate -
No CSRF protection on the password change formGHSA-v9j2-q4q5-cxh4 published
Jul 1, 2021 by surliModerate -
Remote code execution in user profiles with reset passwordGHSA-mgjw-2wrp-r535 published
Feb 9, 2022 by tmortagneHigh -
A user without PR can reset user authentication failures informationGHSA-m738-3rc4-5xv3 published
Jul 1, 2021 by surliLow -
Script injection without script or programming rights through Gadget titlesGHSA-h353-hc43-95vc published
May 18, 2021 by surliHigh -
A user without programming right can save a document which will have programming rightGHSA-f4cj-3q3h-884r published
Feb 9, 2022 by tmortagneModerate
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database