org.xwiki.commons:xwiki-commons-velocity@14.10.8 vulnerabilities

latest version

16.10.2

latest non vulnerable version

16.10.2

first published

13 years ago

latest version published

29 days ago

licenses detected

LGPL-2.1
[0,)

package manager

View on Maven Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.xwiki.commons:xwiki-commons-velocity package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Eval Injection Affected versions of this package are vulnerable to Eval Injection due to not escaping `{` in the Velocity `escapetool`. An attacker can inject XWiki syntax, leading to remote code execution by exploiting the HTML escaping tool's inability to escape `{`. How to fix Eval Injection? Upgrade `org.xwiki.commons:xwiki-commons-velocity` to version 14.10.19, 15.5.4, 15.9-rc-1 or higher.	[,14.10.19)[15.0-rc-1,15.5.4)[15.6-rc-1,15.9-rc-1)

Eval Injection

Affected versions of this package are vulnerable to Eval Injection due to not escaping { in the Velocity escapetool. An attacker can inject XWiki syntax, leading to remote code execution by exploiting the HTML escaping tool's inability to escape {.

How to fix Eval Injection?

Upgrade org.xwiki.commons:xwiki-commons-velocity to version 14.10.19, 15.5.4, 15.9-rc-1 or higher.

[,14.10.19)[15.0-rc-1,15.5.4)[15.6-rc-1,15.9-rc-1)

Go back to all versions of this package