XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
The SQL injection vulnerability (CWE-89) allows malicious SQL code to be injected through a request to the Calendar.JSONService page. This page is accessible to all users with permission to view it, including guests (unauthenticated users). An attacker can craft an appropriate HTTP request that will cause arbitrary SQL queries to be executed in the context of the database used by XWiki.
An attacker can obtain unauthorized access to information stored in the XWiki instance database or cause service unavailability (DoS attack). Due to the CVSS scope covering confidentiality, integrity, and availability at high level with impact extending beyond the component (Scope: Changed), the consequences may affect the entire wiki instance.
XWiki Full Calendar Macro should be updated to version 2.4.5 or later, where the vulnerability has been patched. The patch is available in the project repository (commit 5fdcf06a05015786492fda69b4d9dea5460cc994). As a temporary workaround, consider restricting access to the Calendar.JSONService page for unauthenticated and unprivileged users.
XWiki Full Calendar Macro in all versions before 2.4.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HXwiki Full Calendar Macro
APPXwiki< 2.4.5
Related vulnerabilities
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with t...
XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch
RCE przez XWiki syntax injection w parametrze classes makra Panel
XWiki Pro Macros: RCE przez brak escapowania parametru width w makro column
XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)