10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65091

CVE-2025-65091: XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right to view the Calendar.JSONService page (including guest users) can exploit a SQL injection vulnerability by accessing database info or starting a DoS attack. This issue has been patched in version 2.4.5.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65091

CVE-2025-65091:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.contrib:macro-fullcalendar-pom	maven	<= 2.4.3	2.4.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit reveals a classic SQL injection vulnerability within a Velocity template file, Calendar.JSONService.xml. The vulnerability is not in a compiled Java function but in the scripting logic of this template, which is executed by the XWiki platform. The original code allowed for direct concatenation of user input from request parameters into an HQL query string. Specifically, the sql request parameter could be used to inject arbitrary HQL, which was then executed. The patch addresses this by removing the unsafe, dynamic query construction and replacing it with a parameterized query approach. The vulnerable code unit is the script logic within the Calendar.JSONService.xml file itself, which acts as the service endpoint. Therefore, a runtime profiler would show calls originating from the rendering of this page, leading to the execution of the vulnerable query via XWiki's query service.

Vulnerable functions

Calendar.JSONService

macro-fullcalendar-ui/src/main/resources/Calendar/JSONService.xml

The vulnerability exists in the Velocity script within `Calendar.JSONService.xml`. The script dynamically constructs an HQL query by concatenating user-controlled request parameters, including `sql`, `fromsql`, and `wheresql`, without proper sanitization. An attacker could provide a malicious HQL query fragment in the `sql` parameter, which would then be executed by the `$services.query.hql()` method. The patch mitigates this by removing the direct use of the `sql` parameter and switching to a parameterized query for the `classname` parameter.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65091: XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService

CVE-2025-65091:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

10

10

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-65091: XWiki Full Calendar Macro vulnerable to SQL injection through Calendar.JSONService

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI