CVE-2025-65091: Critical XWiki Full Calendar Macro SQL Injection Allowing Unauthenticated Database Access & Denial-of-Service

Aegiron 9 mins0

Vulnerability Overview (At a Glance)

CVE ID: CVE-2025-65091
Product: XWiki – Full Calendar (macro-fullcalendar)
Affected Component: Calendar.JSONService
Vulnerability Type: SQL Injection
Severity: Critical
CVSS v3.1 Score: 10.0 (Critical)
Attack Vector: Network
Authentication Required: None (in most default/public setups)
User Interaction: Not required
Impact: Database read access, potential data manipulation, denial of service
Exploitability: High (simple HTTP requests)
Public Exploit / PoC: Not officially published by the vendor; exploitation techniques are well-understood and reproducible for educational and testing purposes
Patch Status: Fixed
Patched Version: macro-fullcalendar 2.4.5

Official Patch / Upgrade Link (only):
👉 https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-2g22-wg49-fgv5

What This Vulnerability Is About

CVE-2025-65091 is a SQL injection vulnerability found in the Full Calendar Macro used by XWiki.
The issue exists in a backend service called Calendar.JSONService, which is responsible for returning calendar data in JSON format.

The core problem is simple but dangerous:

The service trusted user-supplied request parameters and used them directly to build database queries without proper sanitization or parameter binding.

Because of this, an attacker can manipulate the database query itself, instead of just supplying normal calendar data.

In real terms, this means:

  • An attacker can read data they should not be able to see
  • In some cases, they can modify or influence database content
  • They can also force the database to run very expensive queries, leading to denial of service

Why This Is Critical

This vulnerability is rated CVSS 10.0 (Critical) because:

  • It can be exploited remotely
  • It often requires no authentication
  • It does not need user interaction
  • It directly impacts:
    • Confidentiality – sensitive data exposure
    • Integrity – possible manipulation of stored data
    • Availability – database and application can be overwhelmed

If the calendar service is exposed to anonymous users (which is common in many XWiki deployments), anyone on the internet can attempt exploitation.

Root Cause

The Calendar.JSONService endpoint accepts request parameters that describe how calendar entries should be queried.
Some of these parameters were treated as query fragments, such as:

  • filtering conditions
  • class names
  • where clauses

Instead of safely binding these values as parameters, the application inserted them directly into the query string.
This allowed attackers to inject their own SQL/HQL logic.

Additionally:

  • The query execution happened with elevated permissions
  • Programming rights were not dropped before executing database queries

This combination made exploitation both easy and high impact.

How This Can Be Exploited

The following is high-level and educational.

An attacker can:

  1. Identify the Calendar.JSONService endpoint
  2. Send crafted HTTP requests containing malicious input in query-related parameters
  3. The backend executes the manipulated query as if it were legitimate
  4. The attacker observes:
    • Unexpected data in the response
    • Error messages
    • Time delays (for blind/time-based attacks)
    • Application slowdown or crashes

Because the service returns JSON data, successful exploitation often blends in with normal traffic, making it harder to notice without proper logging.

Potential Impact Scenarios

1. Database Data Exposure

  • Reading user profiles
  • Extracting internal wiki objects
  • Enumerating content that is not publicly visible

2. Denial of Service (DoS)

  • Triggering large joins or full table scans
  • Repeating expensive queries rapidly
  • Exhausting database connections or CPU

3. Pivoting Attacks

  • Using exposed data to escalate further attacks
  • Mapping internal schema for future exploitation

MITRE Classification

  • CWE-89 – Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
  • ATT&CK Technique:
    • T1190 – Exploit Public-Facing Application

Detection – How to Identify Exploitation Attempts

Relevant Log Sources

To detect this vulnerability being abused, monitor:

  1. Web Server / Reverse Proxy Logs
    • Apache / Nginx / Load balancer logs
  2. XWiki Application Logs
    • Stack traces
    • Query execution errors
    • Unexpected permission warnings
  3. Database Logs
    • Slow query logs
    • Query errors
    • Sudden spikes in query volume

What to Look For in Logs

Suspicious Indicators

  • Requests hitting: Calendar.JSONService
  • Presence of parameters such as: sql wheresql fromsql request.sql
  • Long or encoded query strings
  • Repeated use of: ' -- ; UNION SELECT
  • High request frequency from a single IP to the calendar service

Detection Logic (SIEM / Logs)

General detection idea (pseudo-logic):

  • Filter requests where URL contains Calendar.JSONService
  • Flag requests with query parameters containing SQL keywords
  • Alert when:
    • Multiple attempts occur in a short timeframe
    • Requests trigger database errors or long execution times

IDS / WAF Detection

You can deploy temporary WAF rules to:

  • Inspect requests to Calendar.JSONService
  • Block or alert on suspicious SQL-like patterns
  • Rate-limit access to the endpoint

Is There a Public PoC or Exploit?

  • Vendor: No official exploit or PoC published
  • Reality:
    SQL injection techniques are widely known, and this issue is trivially reproducible in lab environments by security researchers or testers

Any exploitation discussion should remain:

  • Authorized
  • Educational
  • Performed only in controlled environments

How the Official Patch Fixes the Issue

The patched version (2.4.5) introduces key security improvements:

  1. Parameterized Queries
    • User input is bound safely instead of concatenated
  2. Permission Hardening
    • Programming rights are dropped before query execution
  3. Stricter Query Construction
    • Prevents arbitrary query manipulation

This eliminates the injection vector entirely when properly deployed.

Mitigation & Remediation Steps

Immediate Actions

  1. Upgrade to macro-fullcalendar 2.4.5 or later
  2. Confirm the patch is applied on all nodes
  3. Restart services after upgrade

If You Cannot Patch Immediately

  • Restrict access to Calendar.JSONService
  • Remove public/guest view permissions
  • Temporarily disable the calendar macro if business allows

Defense-in-Depth

  • Apply least-privilege to the database user
  • Enable query logging and slow query alerts
  • Monitor for abnormal calendar API usage

Final Statement

CVE-2025-65091 is a textbook critical SQL injection vulnerability in a commonly deployed XWiki component.
If left unpatched, it exposes organizations to data breaches, service disruption, and lateral security risks.

The fix is available, straightforward, and effective.
Delaying patching significantly increases real-world risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.