CVE-2021-21380

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 12.9RC1

Description The XWiki Platform, specifically with the Ratings API installed, exposes an API that allows performing SQL requests without properly escaping the from and where search arguments. This could lead to SQL script injection for users with Script rights on XWiki.

Recommendations For versions prior to 12.9RC1, upgrade to XWiki 12.9RC1 to resolve the issue. As a temporary workaround, consider uninstalling the Ratings API in XWiki from the Extension Manager until a patch is applied.