org.xwiki.commons:xwiki-commons-velocity@14.10.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.xwiki.commons:xwiki-commons-velocity package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Eval Injection

Affected versions of this package are vulnerable to Eval Injection due to not escaping { in the Velocity escapetool. An attacker can inject XWiki syntax, leading to remote code execution by exploiting the HTML escaping tool's inability to escape {.

How to fix Eval Injection?

Upgrade org.xwiki.commons:xwiki-commons-velocity to version 14.10.19, 15.5.4, 15.9-rc-1 or higher.

[,14.10.19) [15.0-rc-1,15.5.4) [15.6-rc-1,15.9-rc-1)