SQL injection in XWiki platform - CVE-2021-21380

 

SQL injection in XWiki platform - CVE-2021-21380

Published: March 19, 2021 / Updated: May 5, 2026


Vulnerability identifier: #VU130043
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21380
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to modify data through SQL injection.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the Rating Script Service when processing SQL requests with unescaped from and where search arguments. A remote user can send crafted search arguments to modify data through SQL injection.

Only XWiki instances with the Ratings API installed are vulnerable.


How to mitigate CVE-2021-21380

Install security update from vendor's website.

Sources