SQL Injection Vulnerability in XWiki Full Calendar Macro Affects Guest Users
CVE-2025-65091
10CRITICAL
What is CVE-2025-65091?
The XWiki Full Calendar Macro allows unauthorized users, including guests, to exploit a SQL injection vulnerability by accessing the Calendar.JSONService page. This flaw can lead to unauthorized database information access or may be leveraged to initiate a Denial of Service (DoS) attack. Users are advised to upgrade to version 2.4.5 or later for protection against this vulnerability, which has been patched to enhance security.
Affected Version(s)
macro-fullcalendar < 2.4.5
References
CVSS V3.1
Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved