XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NXwiki Full Calendar Macro
APPXwiki< 2.4.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
Related vulnerabilities
CVE-2025-65091CRITICAL10.0PL ✓ten sam produkt
SQL Injection w XWiki Full Calendar Macro — dostęp bez uwierzytelnienia
CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam vendor
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
CVE-2025-55728CRITICAL10.0PL ✓ten sam vendor
RCE przez XWiki syntax injection w parametrze classes makra Panel
CVE-2025-55727CRITICAL10.0PL ✓ten sam vendor
XWiki Pro Macros: RCE przez brak escapowania parametru width w makro column
CVE-2025-55747CRITICAL9.3PL ✓ten sam vendor
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)