SQL Injection Vulnerability in XWiki by XWiki SAS
CVE-2024-56158

9.3CRITICAL

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 12 June 2025

What is CVE-2024-56158?

A significant SQL injection vulnerability exists in XWiki that allows attackers to bypass query validation and execute arbitrary SQL queries using Oracle's DBMS_XMLGEN or DBMS_XMLQUERY functions. This is due to inadequate sanitization of query functions in the XWiki query validator and the inherent capabilities of Hibernate to utilize native functions in HQL queries. This flaw has been addressed in the releases 16.10.2, 16.4.7, and 15.10.16, thus users are encouraged to upgrade to these versions for enhanced security.

Affected Version(s)

xwiki-platform >= 1.0, < 15.10.16 < 1.0, 15.10.16

xwiki-platform >= 16.0.0-rc-1, < 16.4.7 < 16.0.0-rc-1, 16.4.7

xwiki-platform >= 16.5.0-rc-1, < 16.10.2 < 16.5.0-rc-1, 16.10.2

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://jira.xwiki.org/browse/XWIKI-22734

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2025
Vulnerability Reserved
Dec 17, 2024

Xwiki

What is CVE-2024-56158?

Affected Version(s)

References

CVSS V4

Timeline