CVE-2025-65091

Name of the Vulnerable Software and Affected Versions XWiki versions prior to 2.4.5

Description The XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page, including guest users, can exploit a SQL injection vulnerability. This allows for potential access to database information or the initiation of a Denial of Service (DoS) attack. The vulnerability is present through the Calendar.JSONService endpoint. Exploitation involves SQL injection via this endpoint, potentially granting unauthorized database access.

Recommendations Versions prior to 2.4.5 should be updated to version 2.4.5.