CVE-2024-56158: XWiki allows SQL injection in query endpoint of REST API with Oracle

June 12, 2025 (updated November 10, 2025)

It’s possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY.

The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query.

References

github.com/advisories/GHSA-prwh-7838-xf82
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/security/advisories/GHSA-prwh-7838-xf82
jira.xwiki.org/browse/XWIKI-22734
nvd.nist.gov/vuln/detail/CVE-2024-56158

Code Behaviors & Features

Detect and mitigate CVE-2024-56158 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →