Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XWiki Platform's searchDocuments API allows for SQL injection
Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1.
CVSS Information
N/A
Vulnerability Type
输入验证不恰当
Vulnerability Title
XWiki Platform 输入验证错误漏洞
Vulnerability Description
XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 17.0.0-rc1至17.2.2版本和16.10.5及之前版本存在输入验证错误漏洞,该漏洞源于未清理SQL查询,可能导致SQL注入攻击。
CVSS Information
N/A
Vulnerability Type
N/A