SB2021031924 - SQL injection in XWiki platform
Published: March 19, 2021 Updated: May 5, 2026
Security Bulletin ID
SB2021031924
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) SQL injection (CVE-ID: CVE-2021-21380)
The vulnerability allows a remote user to modify data through SQL injection.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the Rating Script Service when processing SQL requests with unescaped from and where search arguments. A remote user can send crafted search arguments to modify data through SQL injection.
Only XWiki instances with the Ratings API installed are vulnerable.
Remediation
Install update from vendor's website.