CVE-2022-29253 LOW

CVE-2022-29253: Path Traversal in XWiki Platform

Vendor Xwiki
Product xwiki-platform
Weakness CWE-24
Published May 25, 2022
Last update April 23, 2025

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue.

Key dates

02Disclosure timeline

May 25, 2022 CVE published
April 23, 2025 Record updated