SQL injection in XWiki platform - CVE-2021-21380
Published: March 19, 2021 / Updated: May 5, 2026
Vulnerability identifier: #VU130043
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21380
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to modify data through SQL injection.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the Rating Script Service when processing SQL requests with unescaped from and where search arguments. A remote user can send crafted search arguments to modify data through SQL injection.
Only XWiki instances with the Ratings API installed are vulnerable.
Remediation
Install security update from vendor's website.