Impact It's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki query validator does not sanitize functions that would be used in a simple select and Hibernate allows using any native function in an HQL query. Patches This has been patched in 16.10.2, 16.4.7 and 15.10.16. Workarounds There is no known workaround, other than upgrading XWiki. References https://jira.xwiki.org/browse/XWIKI-22734 For more information If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing…Read More