XWiki security policy is detailed on the following document: https://dev.xwiki.org/xwiki/bin/view/Community/SecurityPolicy/.
Security: xwiki/xwiki-platform
Security
SECURITY.md
-
It's possible to execute anything with the rights of the author of a macro which uses the {{wikimacrocontent}} macroGHSA-v662-xpcc-9xf6 published
Mar 11, 2021 by tmortagneHigh -
Users with SCRIPT right can access the application server instance manager and create arbitrary Java objects through $xcontext.request and $context.request bindingGHSA-5hv6-mh8q-q9v8 published
Oct 15, 2020 by tmortagneHigh -
Users with SCRIPT right can access the application server instance manager and create arbitrary Java objects through $request bindingGHSA-7qw5-pqhc-xm4g published
Sep 10, 2020 by tmortagneHigh -
Authenticated server side code execution without programming rights on User DashboardsGHSA-rmp6-jjg8-9424 published
May 12, 2020 by surliHigh
Learn more about advisories related to xwiki/xwiki-platform in the GitHub Advisory Database