Loading HuntDB...

GHSA-wh34-m772-5398

GitHub Security Advisory

XWiki Platform has an SQL injection in getdocuments.vm with sort parameter

✓ GitHub Reviewed HIGH Has CVE

Advisory Details

### Impact

In `getdocument.vm` ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL.

Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

It's possible to employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.

### Patches

This has been patched in 13.10.5 and 14.3-rc-1.

### Workarounds

There is no known workaround, other than upgrading XWiki.

### References

https://jira.xwiki.org/browse/XWIKI-17568

### For more information

If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-distribution-war
Affected versions: 6.3-milestone-2 (fixed in 13.10.5)
Maven org.xwiki.platform:xwiki-platform-distribution-war
Affected versions: 14.0-rc-1 (fixed in 14.3-rc-1)

Related CVEs

Key Information

GHSA ID
GHSA-wh34-m772-5398
Published
December 12, 2024 7:22 PM
Last Modified
December 16, 2024 6:08 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-distribution-war
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.