The provided commit information consists only of version bump and SCM tag updates in pom.xml files for the release versions 15.10.16, 16.4.7, and 16.10.2. These commits do not contain the actual code changes that patched the SQL injection vulnerability (XWIKI-22734). The Jira issue XWIKI-22734, which describes the vulnerability, does not link to specific commits. The advisory states that the vulnerability lies in the XWiki query validator not sanitizing functions like DBMS_XMLGEN or DBMS_XMLQUERY when used with Oracle, and Hibernate allowing native functions in HQL. While the affected package is org.xwiki.platform:xwiki-platform-oldcore, without the actual patch diffs, it's impossible to pinpoint the exact vulnerable functions, their file paths, and provide concrete patch evidence. The Jira ticket XWIKI-22734 also references XWIKI-22691, suggesting the fix might be in a related area, but without commit details for either, a precise analysis is not possible. Therefore, no vulnerable functions can be identified with the required level of confidence and evidence.

evidence.

.evidence. confidence and evidence