CVE-2025-65091 — AI Deep Analysis Summary

🚨 **Essence**: SQL Injection in XWiki Full Calendar Macro. <br>💥 **Consequences**: Attackers can access sensitive database info or trigger Denial of Service (DoS). Critical integrity/availability loss.

🛡️ **CWE-89**: Improper Neutralization of Special Elements used in an SQL Command. <br>🔍 **Flaw**: User input in the Calendar.JSONService is not sanitized before database execution.

📦 **Product**: XWiki Full Calendar Macro (`macro-fullcalendar`). <br>📉 **Affected**: Versions **prior to 2.4.5**. <br>🏢 **Vendor**: xwiki-contrib.

🕵️ **Data Access**: Read arbitrary database contents. <br>💣 **DoS**: Crash or overload the service. <br>🔓 **Privilege**: Requires only 'View Calendar.JSONService' permission.

📉 **Threshold: LOW**. <br>🔑 **Auth**: No authentication required for the specific endpoint if view permission exists (often public or low-barrier). <br>🌐 **Network**: Remote (AV:N). <br>🎯 **Complexity**: Low (AC:L).

🚫 **Public Exploit**: None currently listed in the data. <br>📝 **Status**: PoCs are empty in the provided dataset. <br>⚠️ **Risk**: High CVSS score suggests easy exploitation logic, even without public code.

🔍 **Check**: Scan for `macro-fullcalendar` version < 2.4.5. <br>🌐 **Target**: Look for `Calendar.JSONService` endpoints. <br>📡 **Tools**: Use SQL injection scanners against calendar-related API paths.

✅ **Fixed**: Yes. <br>🔧 **Patch**: Upgrade to **version 2.4.5** or later. <br>🔗 **Ref**: GitHub Advisory GHSA-2g22-wg49-fgv5 & Commit 5fdcf06.

🛑 **Workaround**: Disable the Full Calendar Macro if not needed. <br>🚧 **Network**: Restrict access to `Calendar.JSONService` via WAF or firewall rules.…

🔥 **Priority: CRITICAL**. <br>📊 **CVSS**: 9.8 (High). <br>🚀 **Action**: Patch immediately. Remote, unauthenticated (or low-priv) SQLi is a top-tier threat.