Search criteria
4 vulnerabilities found for macro-fullcalendar by xwiki-contrib
CVE-2025-65091 (GCVE-0-2025-65091)
Vulnerability from nvd – Published: 2026-01-10 03:06 – Updated: 2026-01-10 03:06
VLAI?
Title
XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
Summary
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki-contrib | macro-fullcalendar |
Affected:
< 2.4.5
|
{
"containers": {
"cna": {
"affected": [
{
"product": "macro-fullcalendar",
"vendor": "xwiki-contrib",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T03:06:16.775Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5"
},
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994"
}
],
"source": {
"advisory": "GHSA-2g22-wg49-fgv5",
"discovery": "UNKNOWN"
},
"title": "XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65091",
"datePublished": "2026-01-10T03:06:16.775Z",
"dateReserved": "2025-11-17T20:55:34.691Z",
"dateUpdated": "2026-01-10T03:06:16.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65090 (GCVE-0-2025-65090)
Vulnerability from nvd – Published: 2026-01-10 03:05 – Updated: 2026-01-10 03:06
VLAI?
Title
XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
Summary
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki-contrib | macro-fullcalendar |
Affected:
< 2.4.6
|
{
"containers": {
"cna": {
"affected": [
{
"product": "macro-fullcalendar",
"vendor": "xwiki-contrib",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T03:06:03.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m"
},
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884"
},
{
"name": "https://jira.xwiki.org/browse/FULLCAL-82",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/FULLCAL-82"
}
],
"source": {
"advisory": "GHSA-637h-ch24-xp9m",
"discovery": "UNKNOWN"
},
"title": "XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65090",
"datePublished": "2026-01-10T03:05:06.531Z",
"dateReserved": "2025-11-17T20:55:34.691Z",
"dateUpdated": "2026-01-10T03:06:03.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65091 (GCVE-0-2025-65091)
Vulnerability from cvelistv5 – Published: 2026-01-10 03:06 – Updated: 2026-01-10 03:06
VLAI?
Title
XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService
Summary
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki-contrib | macro-fullcalendar |
Affected:
< 2.4.5
|
{
"containers": {
"cna": {
"affected": [
{
"product": "macro-fullcalendar",
"vendor": "xwiki-contrib",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T03:06:16.775Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5"
},
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/5fdcf06a05015786492fda69b4d9dea5460cc994"
}
],
"source": {
"advisory": "GHSA-2g22-wg49-fgv5",
"discovery": "UNKNOWN"
},
"title": "XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65091",
"datePublished": "2026-01-10T03:06:16.775Z",
"dateReserved": "2025-11-17T20:55:34.691Z",
"dateUpdated": "2026-01-10T03:06:16.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65090 (GCVE-0-2025-65090)
Vulnerability from cvelistv5 – Published: 2026-01-10 03:05 – Updated: 2026-01-10 03:06
VLAI?
Title
XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
Summary
XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki-contrib | macro-fullcalendar |
Affected:
< 2.4.6
|
{
"containers": {
"cna": {
"affected": [
{
"product": "macro-fullcalendar",
"vendor": "xwiki-contrib",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-10T03:06:03.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m"
},
{
"name": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884"
},
{
"name": "https://jira.xwiki.org/browse/FULLCAL-82",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/FULLCAL-82"
}
],
"source": {
"advisory": "GHSA-637h-ch24-xp9m",
"discovery": "UNKNOWN"
},
"title": "XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65090",
"datePublished": "2026-01-10T03:05:06.531Z",
"dateReserved": "2025-11-17T20:55:34.691Z",
"dateUpdated": "2026-01-10T03:06:03.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}