Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for macro-fullcalendar by xwiki-contrib

    CVE-2025-65091 (GCVE-0-2025-65091)

    Vulnerability from nvd – Published: 2026-01-10 03:06 – Updated: 2026-01-12 17:35
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65091",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:35:13.091420Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:35:19.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:16.775Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994"
            }
          ],
          "source": {
            "advisory": "GHSA-2g22-wg49-fgv5",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65091",
        "datePublished": "2026-01-10T03:06:16.775Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:35:19.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65090 (GCVE-0-2025-65090)

    Vulnerability from nvd – Published: 2026-01-10 03:05 – Updated: 2026-01-12 17:36
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65090",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:36:31.744611Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:36:38.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:03.471Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884"
            },
            {
              "name": "https://jira.xwiki.org/browse/FULLCAL-82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/FULLCAL-82"
            }
          ],
          "source": {
            "advisory": "GHSA-637h-ch24-xp9m",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65090",
        "datePublished": "2026-01-10T03:05:06.531Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:36:38.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65091 (GCVE-0-2025-65091)

    Vulnerability from cvelistv5 – Published: 2026-01-10 03:06 – Updated: 2026-01-12 17:35
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65091",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:35:13.091420Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:35:19.706Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:16.775Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994"
            }
          ],
          "source": {
            "advisory": "GHSA-2g22-wg49-fgv5",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65091",
        "datePublished": "2026-01-10T03:06:16.775Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:35:19.706Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-65090 (GCVE-0-2025-65090)

    Vulnerability from cvelistv5 – Published: 2026-01-10 03:05 – Updated: 2026-01-12 17:36
    VLAI
    Title
    XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
    Summary
    XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-65090",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-12T17:36:31.744611Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-12T17:36:38.233Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "macro-fullcalendar",
              "vendor": "xwiki-contrib",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.4.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-10T03:06:03.471Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m"
            },
            {
              "name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884"
            },
            {
              "name": "https://jira.xwiki.org/browse/FULLCAL-82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://jira.xwiki.org/browse/FULLCAL-82"
            }
          ],
          "source": {
            "advisory": "GHSA-637h-ch24-xp9m",
            "discovery": "UNKNOWN"
          },
          "title": "XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-65090",
        "datePublished": "2026-01-10T03:05:06.531Z",
        "dateReserved": "2025-11-17T20:55:34.691Z",
        "dateUpdated": "2026-01-12T17:36:38.233Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }