CRITICAL🇵🇱 Wersja polska

CVE-2025-65091

CVSS 10.0v3.1pub. 2026-01-10upd. 2026-01-29

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.

🤖 AI Analysis
How it works

The SQL injection vulnerability (CWE-89) allows malicious SQL code to be injected through a request to the Calendar.JSONService page. This page is accessible to all users with permission to view it, including guests (unauthenticated users). An attacker can craft an appropriate HTTP request that will cause arbitrary SQL queries to be executed in the context of the database used by XWiki.

Impact

An attacker can obtain unauthorized access to information stored in the XWiki instance database or cause service unavailability (DoS attack). Due to the CVSS scope covering confidentiality, integrity, and availability at high level with impact extending beyond the component (Scope: Changed), the consequences may affect the entire wiki instance.

Mitigation & patch

XWiki Full Calendar Macro should be updated to version 2.4.5 or later, where the vulnerability has been patched. The patch is available in the project repository (commit 5fdcf06a05015786492fda69b4d9dea5460cc994). As a temporary workaround, consider restricting access to the Calendar.JSONService page for unauthenticated and unprivileged users.

Who is affected

XWiki Full Calendar Macro in all versions before 2.4.5

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Xwiki Full Calendar Macro

    APP
    Xwiki
    < 2.4.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2025-65090MEDIUM5.3ten sam produkt

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with t...

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam vendor

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-55728CRITICAL10.0PL ✓ten sam vendor

RCE przez XWiki syntax injection w parametrze classes makra Panel

CVE-2025-55727CRITICAL10.0PL ✓ten sam vendor

XWiki Pro Macros: RCE przez brak escapowania parametru width w makro column

CVE-2025-55747CRITICAL9.3PL ✓ten sam vendor

XWiki Platform: ujawnienie plików konfiguracyjnych przez webjars API (path traversal)