CVE-2024-56158
Description
XWiki is a generic wiki platform. Its possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. This vulnerability is fixed in 16.10.2, 16.4.7, and 15.10.16.
Risk Information
Base Score
9.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.589
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2025-32968,CVE-2024-56158 are fixed in Xwiki-platform-oldcore 15.10.16 | Windows |
| Vulnerabilities CVE-2025-49586,CVE-2024-56158 are fixed in Xwiki-platform-oldcore 16.4.7 | Windows |
| Vulnerabilities CVE-2024-56158 are fixed in Xwiki-platform-oldcore 16.10.2 | Windows |
| Vulnerabilities CVE-2025-49586,CVE-2024-56158,CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore 16.4.7 | Windows |
| Vulnerabilities CVE-2025-32968,CVE-2024-56158 are fixed in Xwiki-platform-oldcore for Linux 15.10.16 | Linux |
| Vulnerabilities CVE-2025-49586,CVE-2024-56158 are fixed in Xwiki-platform-oldcore for Linux 16.4.7 | Linux |
| Vulnerabilities CVE-2024-56158 are fixed in Xwiki-platform-oldcore for Linux 16.10.2 | Linux |
| Vulnerabilities CVE-2025-49586,CVE-2024-56158,CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore for Linux 16.4.7 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234