Advisories for Maven/Org.xwiki.commons/Xwiki-Commons-Velocity package

2024

XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution

The HTML escaping of escaping tool that is used in XWiki doesn't escape {, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution.

2022

Arbitrary filesystem write access from velocity.

The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File.