It's possible to execute any SQL query in Oracle by using the function like [DBMS_XMLGEN or DBMS_XMLQUERY](https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html).

The XWiki query validator does not sanitize functions that would be used in a simple `select` and Hibernate allows using any native function in an HQL query.

### Patches

This has been patched in 16.10.2, 16.4.7 and 15.10.16.

### Workarounds

There is no known workaround, other than upgrading XWiki.

### References

https://jira.xwiki.org/browse/XWIKI-22734

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 1.0 (fixed in 15.10.16)

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 16.0.0-rc-1 (fixed in 16.4.7)

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 16.5.0-rc-1 (fixed in 16.10.2)

Related CVEs

CVE-2024-56158

Key Information

GHSA ID

GHSA-prwh-7838-xf82

Published

June 12, 2025 9:52 PM

Last Modified

June 12, 2025 9:52 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-oldcore

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 15, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.