Platform
java
Component
org.xwiki.contrib:macro-fullcalendar-pom
Opgelost in
2.4.6
2.4.5
CVE-2025-65091 describes a critical SQL Injection vulnerability discovered in the XWiki Macro FullCalendar component. This flaw allows unauthorized users, including guest users, to potentially extract sensitive data from the database or initiate a denial-of-service (DoS) attack. The vulnerability affects versions prior to 2.4.5, and a fix is available in version 2.4.5.
The SQL Injection vulnerability in XWiki Macro FullCalendar poses a significant risk. Attackers can exploit this flaw by crafting malicious requests targeting the Calendar.JSONService page, which is accessible even to guest users. Successful exploitation could lead to the extraction of sensitive database information, such as user credentials, configuration details, or application data. Furthermore, attackers could leverage the SQL Injection to execute arbitrary commands on the database server, potentially leading to a complete compromise of the XWiki instance. The ability to launch a DoS attack adds another layer of potential disruption, as attackers could overload the database server with malicious queries, rendering the application unavailable to legitimate users.
Public details regarding active exploitation of CVE-2025-65091 are currently limited. However, the vulnerability's critical severity and ease of exploitation (guest user access) suggest a potential for future exploitation attempts. The vulnerability was disclosed publicly on 2026-01-09. Monitor XWiki installations for suspicious database activity and unusual error logs.
Organizations utilizing XWiki with the Macro FullCalendar component, particularly those with public-facing calendars or less restrictive access controls, are at risk. Shared hosting environments where multiple XWiki instances share the same database are also particularly vulnerable, as a compromise of one instance could potentially impact others.
• java / server:
ps -ef | grep -i fullcalendar• java / server:
journalctl -u xwiki | grep -i "Calendar.JSONService"• generic web:
curl -I <xwiki_url>/xwiki/bin/calendar/Calendar.JSONService• generic web:
grep -r 'Calendar.JSONService' /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.21% (43% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-65091 is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later, which contains the necessary fix. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, a temporary workaround involves removing the Calendar.JSONService page. While this mitigates the vulnerability, it will also disable certain functionalities of the FullCalendar macro. Consider implementing Web Application Firewall (WAF) rules to filter out potentially malicious requests targeting the Calendar.JSONService endpoint. Regularly review XWiki configurations and access controls to ensure least privilege principles are enforced.
Actualiseer de XWiki Full Calendar macro naar versie 2.4.5 of hoger. Deze versie bevat een correctie voor de SQL injection kwetsbaarheid. De update kan worden uitgevoerd via de XWiki extensiebeheerder.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-65091 is a critical SQL Injection vulnerability affecting XWiki Macro FullCalendar versions prior to 2.4.5. It allows unauthorized users to potentially extract data or launch DoS attacks.
If you are using XWiki Macro FullCalendar version 2.4.4 or earlier, you are vulnerable to this SQL Injection flaw. Upgrade to 2.4.5 to mitigate the risk.
The recommended fix is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later. As a temporary workaround, remove the Calendar.JSONService page.
While there are currently no confirmed reports of active exploitation, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the XWiki Jira issue for more information: https://jira.xwiki.org/browse/FULLCAL-80 and https://jira.xwiki.org/browse/FULLCAL-81
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je pom.xml-bestand en we vertellen je direct of je getroffen bent.