GCVE - cpe:2.3:a:xwiki:xwiki:6.2:milestone2:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:xwiki:xwiki:6.2:milestone2:*:*:*:*:*:*

part: a version: 6.2 update: milestone2

Vendor	Xwiki (`cdc9c0cd-6ac5-5dc0-9f52-915ebd57f20d`)
Product	Xwiki (`2fad5bf8-5703-5dac-bd8d-95a867c2e84d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:docker/xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.850715
`pkg:github/xwiki/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.850716
`pkg:gitlab/q-phillips/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.850718
`pkg:xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.850719

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-35161`	vulnerable	2026-06-03 14:52:17.904658	XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in DeleteApplication page CRITICAL (9.7) XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.2-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. Published: 2023-06-23T18:51:45.575Z Updated: 2024-11-27T20:02:02.038Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4xm7-5q79-3fch https://github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305 https://jira.xwiki.org/browse/XWIKI-20583 https://jira.xwiki.org/browse/XWIKI-20614	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-26472`	vulnerable	2026-06-03 14:50:59.776441	XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile CRITICAL (10) XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having edit right. The issue has been patched in XWiki 14.9, 14.4.6, and 13.10.10. An available workaround is to fix the bug in the page `IconThemesCode.IconThemeSheet` by applying a modification from commit 48caf7491595238af2b531026a614221d5d61f38. Published: 2023-03-02T18:25:06.051Z Updated: 2025-03-05T20:44:32.268Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vwr6-qp4q-2wj7 https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45 https://jira.xwiki.org/browse/XWIKI-19731	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.