GCVE - cpe:2.3:a:xwiki:xwiki:3.1:rc1:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:xwiki:xwiki:3.1:rc1:*:*:*:*:*:*

part: a version: 3.1 update: rc1

Vendor	Xwiki (`cdc9c0cd-6ac5-5dc0-9f52-915ebd57f20d`)
Product	Xwiki (`2fad5bf8-5703-5dac-bd8d-95a867c2e84d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:docker/xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.815476
`pkg:github/xwiki/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.815477
`pkg:gitlab/q-phillips/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.815479
`pkg:xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.815480

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-45137`	vulnerable	2026-06-03 14:53:07.602031	XWiki Platform XSS with edit right in the create document form for existing pages CRITICAL (9.1) XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, are vulnerable to cross-site scripting. When trying to create a document that already exists, XWiki displays an error message in the form for creating it. Due to missing escaping, this error message is vulnerable to raw HTML injection and thus XSS. The injected code is the document reference of the existing document so this requires that the attacker first creates a non-empty document whose name contains the attack code. This has been patched in `org.xwiki.platform:xwiki-platform-web` version 13.4-rc-1 and `org.xwiki.platform:xwiki-platform-web-templates` versions 14.10.12 and 15.5-rc-1 by adding the appropriate escaping. The vulnerable template file `createinline.vm` is part of XWiki's WAR and can be patched by manually applying the changes from the fix. Published: 2023-10-25T20:13:22.602Z Updated: 2024-09-10T19:44:17.067Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-93gh-jgjj-r929 https://github.com/xwiki/xwiki-platform/commit/ed8ec747967f8a16434806e727a57214a8843581 https://jira.xwiki.org/browse/XWIKI-20961	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-23616`	vulnerable	2026-06-03 14:46:27.929603	Remote code execution in xwiki-platform HIGH (8.8) XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset password feature since the feature is performing a save of the user profile with programming rights in the impacted versions of XWiki. The issue has been patched in XWiki 13.1RC1. There are two different possible workarounds, each consisting of modifying the XWiki/ResetPassword page. 1. The Reset password feature can be entirely disabled by deleting the XWiki/ResetPassword page. 2. The script in XWiki/ResetPassword can also be modified or removed: an administrator can replace it with a simple email contact to ask an administrator to reset the password. Published: 2022-02-09T20:55:10.000Z Updated: 2025-04-23T19:06:21.673Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mgjw-2wrp-r535 https://jira.xwiki.org/browse/XWIKI-16661	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.