MEDIUM🇵🇱 Wersja polska

CVE-2025-65090

CVSS 5.3v3.1pub. 2026-01-10upd. 2026-01-29

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • Xwiki Full Calendar Macro

    APP
    Xwiki
    < 2.4.6
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-65091CRITICAL10.0PL ✓ten sam produkt

SQL Injection w XWiki Full Calendar Macro — dostęp bez uwierzytelnienia

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam vendor

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55728CRITICAL10.0PL ✓ten sam vendor

RCE przez XWiki syntax injection w parametrze classes makra Panel

CVE-2025-55727CRITICAL10.0PL ✓ten sam vendor

XWiki Pro Macros: RCE przez brak escapowania parametru width w makro column

CVE-2025-55747CRITICAL9.3PL ✓ten sam vendor

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)