Description
XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.
Remediation
References
Related Vulnerabilities
MySQL CVE-2016-5439 Vulnerability (CVE-2016-5439)
Oracle JRE CVE-2012-5073 Vulnerability (CVE-2012-5073)
Apache Tomcat Permissions, Privileges, and Access Controls Vulnerability (CVE-2014-0119)
Joomla Incorrect Authorization Vulnerability (CVE-2021-26027)
Caddy Web Server Improper Input Validation Vulnerability (CVE-2026-45135)