平台
java
组件
org.xwiki.contrib:macro-fullcalendar-pom
修复版本
2.4.6
2.4.5
CVE-2025-65091 describes a critical SQL Injection vulnerability discovered in the XWiki Macro FullCalendar component. This flaw allows unauthorized users, including guest users, to potentially extract sensitive data from the database or initiate a denial-of-service (DoS) attack. The vulnerability affects versions prior to 2.4.5, and a fix is available in version 2.4.5.
The SQL Injection vulnerability in XWiki Macro FullCalendar poses a significant risk. Attackers can exploit this flaw by crafting malicious requests targeting the Calendar.JSONService page, which is accessible even to guest users. Successful exploitation could lead to the extraction of sensitive database information, such as user credentials, configuration details, or application data. Furthermore, attackers could leverage the SQL Injection to execute arbitrary commands on the database server, potentially leading to a complete compromise of the XWiki instance. The ability to launch a DoS attack adds another layer of potential disruption, as attackers could overload the database server with malicious queries, rendering the application unavailable to legitimate users.
Public details regarding active exploitation of CVE-2025-65091 are currently limited. However, the vulnerability's critical severity and ease of exploitation (guest user access) suggest a potential for future exploitation attempts. The vulnerability was disclosed publicly on 2026-01-09. Monitor XWiki installations for suspicious database activity and unusual error logs.
Organizations utilizing XWiki with the Macro FullCalendar component, particularly those with public-facing calendars or less restrictive access controls, are at risk. Shared hosting environments where multiple XWiki instances share the same database are also particularly vulnerable, as a compromise of one instance could potentially impact others.
• java / server:
ps -ef | grep -i fullcalendar• java / server:
journalctl -u xwiki | grep -i "Calendar.JSONService"• generic web:
curl -I <xwiki_url>/xwiki/bin/calendar/Calendar.JSONService• generic web:
grep -r 'Calendar.JSONService' /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.21% (43% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-65091 is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later, which contains the necessary fix. If an immediate upgrade is not feasible due to compatibility concerns or testing requirements, a temporary workaround involves removing the Calendar.JSONService page. While this mitigates the vulnerability, it will also disable certain functionalities of the FullCalendar macro. Consider implementing Web Application Firewall (WAF) rules to filter out potentially malicious requests targeting the Calendar.JSONService endpoint. Regularly review XWiki configurations and access controls to ensure least privilege principles are enforced.
将 XWiki Full Calendar 宏更新到版本 2.4.5 或更高版本。此版本包含针对 SQL 注入漏洞的修复。可以通过 XWiki 扩展管理器进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-65091 is a critical SQL Injection vulnerability affecting XWiki Macro FullCalendar versions prior to 2.4.5. It allows unauthorized users to potentially extract data or launch DoS attacks.
If you are using XWiki Macro FullCalendar version 2.4.4 or earlier, you are vulnerable to this SQL Injection flaw. Upgrade to 2.4.5 to mitigate the risk.
The recommended fix is to upgrade to XWiki Macro FullCalendar version 2.4.5 or later. As a temporary workaround, remove the Calendar.JSONService page.
While there are currently no confirmed reports of active exploitation, the vulnerability's severity and ease of exploitation suggest a potential for future attacks.
Refer to the XWiki Jira issue for more information: https://jira.xwiki.org/browse/FULLCAL-80 and https://jira.xwiki.org/browse/FULLCAL-81
上传你的 pom.xml 文件,立即知道是否受影响。