Plattform
java
Komponente
org.xwiki.contrib:macro-fullcalendar-pom
Behoben in
2.4.6
2.4.5
CVE-2025-65091 describes a critical SQL Injection vulnerability discovered in the XWiki Macro FullCalendar component. This flaw allows unauthorized users, including guest users, to potentially extract sensitive data from the database or initiate a denial-of-service (DoS) attack. The vulnerability affects versions prior to 2.4.5, and a fix is available in version 2.4.5.
The SQL Injection vulnerability in XWiki Macro FullCalendar poses a significant risk. Attackers can exploit this flaw by crafting malicious requests targeting the Calendar.JSONService page, which is accessible even to guest users. Successful exploitation could lead to the extraction of sensitive database information, such as user credentials, configuration details, or application data. Furthermore, attackers could leverage the SQL Injection to execute arbitrary commands on the database server, potentially leading to a complete compromise of the XWiki instance. The ability to launch a DoS attack adds another layer of potential disruption, as attackers could overload the database server with malicious queries, rendering the application unavailable to legitimate users.
Public details regarding active exploitation of CVE-2025-65091 are currently limited. However, the vulnerability's critical severity and ease of exploitation (guest user access) suggest a potential for future exploitation attempts. The vulnerability was disclosed publicly on 2026-01-09. Monitor XWiki installations for suspicious database activity and unusual error logs.
Organizations utilizing XWiki with the Macro FullCalendar component, particularly those with public-facing calendars or less restrictive access controls, are at risk. Shared hosting environments where multiple XWiki instances share the same database are also particularly vulnerable, as a compromise of one instance could potentially impact others.
• java / server:
ps -ef | grep -i fullcalendar• java / server:
journalctl -u xwiki | grep -i "Calendar.JSONService"• generic web:
curl -I <xwiki_url>/xwiki/bin/calendar/Calendar.JSONService• generic web:
grep -r 'Calendar.JSONService' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.21% (43% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-65091 is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later, which contains the necessary fix. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, a temporary workaround involves removing the Calendar.JSONService page. While this mitigates the vulnerability, it will also disable certain functionalities of the FullCalendar macro. Consider implementing Web Application Firewall (WAF) rules to filter out potentially malicious requests targeting the Calendar.JSONService endpoint. Regularly review XWiki configurations and access controls to ensure least privilege principles are enforced.
Aktualisieren Sie das XWiki Full Calendar Macro auf Version 2.4.5 oder höher. Diese Version enthält eine Korrektur für die (SQL Injection)-Schwachstelle. Das Update kann über den XWiki Extensions Manager durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-65091 is a critical SQL Injection vulnerability affecting XWiki Macro FullCalendar versions prior to 2.4.5. It allows unauthorized users to potentially extract data or launch DoS attacks.
If you are using XWiki Macro FullCalendar version 2.4.4 or earlier, you are vulnerable to this SQL Injection flaw. Upgrade to 2.4.5 to mitigate the risk.
The recommended fix is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later. As a temporary workaround, remove the Calendar.JSONService page.
While there are currently no confirmed reports of active exploitation, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the XWiki Jira issue for more information: https://jira.xwiki.org/browse/FULLCAL-80 and https://jira.xwiki.org/browse/FULLCAL-81
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.