PT-2025-25327 · Hibernate+2 · Hibernate+2
Published
2024-12-17
·
Updated
2025-09-03
·
CVE-2024-56158
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
XWiki versions prior to 15.10.16
XWiki versions prior to 16.4.7
XWiki versions prior to 16.10.2
Description
The issue allows execution of any SQL query in Oracle using functions like DBMS XMLGEN or DBMS XMLQUERY. This is due to the XWiki query validator not sanitizing certain functions and Hibernate allowing the use of any native function in an HQL query.
Recommendations
For versions prior to 15.10.16, update to version 15.10.16 or later.
For versions prior to 16.4.7, update to version 16.4.7 or later.
For versions prior to 16.10.2, update to version 16.10.2 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hibernate
Oracle
Xwiki