cvelistv5 - cve-2025-53835

CVE-2025-53835 (GCVE-0-2025-53835)

Vulnerability from cvelistv5 – Published: 2025-07-14 23:00 – Updated: 2025-07-15 19:49

Summary

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.

Severity ?

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-rendering/security…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-rendering/commit/a…	x_refsource_MISC
	https://jira.xwiki.org/browse/XRENDERING-660	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-rendering	Affected: >= 5.4.5, < 14.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53835",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-15T13:25:17.313296Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:49:26.336Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-rendering",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.4.5, \u003c 14.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it\u0027s main purpose is testing and its use is quite difficult, this syntax shouldn\u0027t be installed or used on a regular wiki. There are no known workarounds apart from upgrading."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-14T23:00:35.577Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
        },
        {
          "name": "https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7"
        },
        {
          "name": "https://jira.xwiki.org/browse/XRENDERING-660",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XRENDERING-660"
        }
      ],
      "source": {
        "advisory": "GHSA-w3wh-g4m9-783p",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53835",
    "datePublished": "2025-07-14T23:00:35.577Z",
    "dateReserved": "2025-07-09T14:14:52.532Z",
    "dateUpdated": "2025-07-15T19:49:26.336Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53835\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-14T23:15:25.090\",\"lastModified\":\"2025-08-26T17:52:40.370\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it\u0027s main purpose is testing and its use is quite difficult, this syntax shouldn\u0027t be installed or used on a regular wiki. There are no known workarounds apart from upgrading.\"},{\"lang\":\"es\",\"value\":\"XWiki Rendering es un sistema de renderizado gen\u00e9rico que convierte la entrada de texto en una sintaxis dada (sintaxis wiki, HTML, etc.) en otra sintaxis (XHTML, etc.). A partir de la versi\u00f3n 5.4.5 y antes de la versi\u00f3n 14.10, la sintaxis XHTML depend\u00eda de la sintaxis `xdom+xml/current`, que permite la creaci\u00f3n de bloques sin procesar que permiten la inserci\u00f3n de contenido HTML arbitrario, incluyendo JavaScript. Esto permite ataques XSS para usuarios que pueden editar un documento como su perfil de usuario (habilitado por defecto). Esto se ha corregido en la versi\u00f3n 14.10 eliminando la dependencia de la sintaxis `xdom+xml/current` de la sintaxis XHTML. Tenga en cuenta que la sintaxis `xdom+xml` sigue siendo vulnerable a este ataque. Como su prop\u00f3sito principal es la prueba y su uso es bastante dif\u00edcil, esta sintaxis no debe instalarse ni usarse en una wiki normal. No hay soluciones alternativas conocidas aparte de la actualizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-80\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.4.5\",\"versionEndExcluding\":\"14.10\",\"matchCriteriaId\":\"C29609B7-15B1-4866-A45A-A9DB0ECB21D3\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XRENDERING-660\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53835\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-15T13:25:17.313296Z\"}}}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-15T13:25:19.905Z\"}}], \"cna\": {\"title\": \"XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax\", \"source\": {\"advisory\": \"GHSA-w3wh-g4m9-783p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"xwiki\", \"product\": \"xwiki-rendering\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 5.4.5, \u003c 14.10\"}]}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p\", \"name\": \"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7\", \"name\": \"https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XRENDERING-660\", \"name\": \"https://jira.xwiki.org/browse/XRENDERING-660\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it\u0027s main purpose is testing and its use is quite difficult, this syntax shouldn\u0027t be installed or used on a regular wiki. There are no known workarounds apart from upgrading.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-80\", \"description\": \"CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-14T23:00:35.577Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53835\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-15T19:49:26.336Z\", \"dateReserved\": \"2025-07-09T14:14:52.532Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-14T23:00:35.577Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-W3WH-G4M9-783P

Vulnerability from github – Published: 2025-07-14 21:40 – Updated: 2025-07-15 00:34

Summary

XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax

Details

Impact

The XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). The attack works by setting the document's syntax to xdom+xml/current and then inserting content like

<document><p><metadata><metadata><entry><string>syntax</string><org.xwiki.rendering.syntax.Syntax><type><name>XHTML</name><id>xhtml</id><variants class="empty-list"></variants></type><version>5</version></org.xwiki.rendering.syntax.Syntax></entry></metadata></metadata></p><rawtext syntax="html/5.0" content="&lt;script&gt;alert(1);&lt;/script&gt;"></rawtext></document>

This has been fixed by removing the dependency on the xdom+xml/current syntax from the XHTML syntax. Note that the xdom+xml syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. We're currently not aware of any further dependencies on it.

Patches

The fix of removing the dependency has been included in XWiki 14.10. It is not released for earlier versions due to the potential breakages, among others this change makes it necessary to update the Confluence XHTML syntax as it relies on internals that were changed for the fix. Similar XSS fixes were also not applied to the LTS version 13.10.x due to the potential breakages.

Workarounds

There are no known workarounds apart from upgrading.

References

https://jira.xwiki.org/browse/XRENDERING-660
https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Severity ?

9.0 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-syntax-xhtml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.4.5"
            },
            {
              "fixed": "14.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-14T21:40:21Z",
    "nvd_published_at": "2025-07-14T23:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). The attack works by setting the document\u0027s syntax to `xdom+xml/current` and then inserting content like\n```\n\u003cdocument\u003e\u003cp\u003e\u003cmetadata\u003e\u003cmetadata\u003e\u003centry\u003e\u003cstring\u003esyntax\u003c/string\u003e\u003corg.xwiki.rendering.syntax.Syntax\u003e\u003ctype\u003e\u003cname\u003eXHTML\u003c/name\u003e\u003cid\u003exhtml\u003c/id\u003e\u003cvariants class=\"empty-list\"\u003e\u003c/variants\u003e\u003c/type\u003e\u003cversion\u003e5\u003c/version\u003e\u003c/org.xwiki.rendering.syntax.Syntax\u003e\u003c/entry\u003e\u003c/metadata\u003e\u003c/metadata\u003e\u003c/p\u003e\u003crawtext syntax=\"html/5.0\" content=\"\u0026lt;script\u0026gt;alert(1);\u0026lt;/script\u0026gt;\"\u003e\u003c/rawtext\u003e\u003c/document\u003e\n```\n\nThis has been fixed by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it\u0027s main purpose is testing and its use is quite difficult, this syntax shouldn\u0027t be installed or used on a regular wiki. We\u0027re currently not aware of any further dependencies on it.\n\n### Patches\nThe fix of removing the dependency has been included in XWiki 14.10. It is not released for earlier versions due to the potential breakages, among others this change makes it necessary to update the [Confluence XHTML syntax](https://extensions.xwiki.org/xwiki/bin/view/Extension/Confluence/Syntax%20XHTML/) as it relies on internals that were changed for the fix. Similar XSS fixes were also not applied to the LTS version 13.10.x due to the potential breakages.\n\n### Workarounds\nThere are no known workarounds apart from upgrading.\n\n### References\n* https://jira.xwiki.org/browse/XRENDERING-660\n* https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-w3wh-g4m9-783p",
  "modified": "2025-07-15T00:34:58Z",
  "published": "2025-07-14T21:40:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-rendering"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XRENDERING-660"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax"
}

NCSC-2025-0231

Vulnerability from csaf_ncscnl - Published: 2025-07-17 12:35 - Updated: 2025-07-17 12:35

Summary

Kwetsbaarheden verholpen in XWiki

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

XWiki heeft kwetsbaarheden verholpen in het rendering systeem en de standaard macro content parser.

Interpretaties

De kwetsbaarheden in het XWiki rendering systeem stelden aanvallers in staat om XSS-aanvallen uit te voeren door de afhankelijkheid van de `xdom+xml/current` syntax. Deze kwetsbaarheid is verholpen in versie 14.10. Daarnaast waren er kwetsbaarheden in de standaard macro content parser die leidden tot privilege-escalatie en remote code execution door problemen met geneste macro's. Deze zijn gepatcht in de versies 13.10.11, 14.4.7 en 14.10. De aanvaller kon ongeautoriseerde macro's uitvoeren door de restricties in de macro content parser te omzeilen.

Oplossingen

XWiki heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-863

Incorrect Authorization

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "XWiki heeft kwetsbaarheden verholpen in het rendering systeem en de standaard macro content parser.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in het XWiki rendering systeem stelden aanvallers in staat om XSS-aanvallen uit te voeren door de afhankelijkheid van de `xdom+xml/current` syntax. Deze kwetsbaarheid is verholpen in versie 14.10. Daarnaast waren er kwetsbaarheden in de standaard macro content parser die leidden tot privilege-escalatie en remote code execution door problemen met geneste macro\u0027s. Deze zijn gepatcht in de versies 13.10.11, 14.4.7 en 14.10. De aanvaller kon ongeautoriseerde macro\u0027s uitvoeren door de restricties in de macro content parser te omzeilen.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "XWiki heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
        "title": "CWE-80"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; github; nvd",
        "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
      },
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; github; nvd",
        "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
      }
    ],
    "title": "Kwetsbaarheden verholpen in XWiki",
    "tracking": {
      "current_release_date": "2025-07-17T12:35:48.998487Z",
      "generator": {
        "date": "2025-06-05T14:45:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.1"
        }
      },
      "id": "NCSC-2025-0231",
      "initial_release_date": "2025-07-17T12:35:48.998487Z",
      "revision_history": [
        {
          "date": "2025-07-17T12:35:48.998487Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=14.0|\u003c14.4.7",
                "product": {
                  "name": "vers:unknown/\u003e=14.0|\u003c14.4.7",
                  "product_id": "CSAFPID-2976360"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=14.5|\u003c14.10",
                "product": {
                  "name": "vers:unknown/\u003e=14.5|\u003c14.10",
                  "product_id": "CSAFPID-2976361"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=4.2-milestone-1|\u003c13.10.11",
                "product": {
                  "name": "vers:unknown/\u003e=4.2-milestone-1|\u003c13.10.11",
                  "product_id": "CSAFPID-2976359"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=5.4.5|\u003c14.10",
                "product": {
                  "name": "vers:unknown/\u003e=5.4.5|\u003c14.10",
                  "product_id": "CSAFPID-2976364"
                }
              }
            ],
            "category": "product_name",
            "name": "Xwiki-rendering"
          }
        ],
        "category": "vendor",
        "name": "XWiki"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-53835",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
          "title": "CWE-80"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2976360",
          "CSAFPID-2976361",
          "CSAFPID-2976359",
          "CSAFPID-2976364"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53835 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53835.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2976360",
            "CSAFPID-2976361",
            "CSAFPID-2976359",
            "CSAFPID-2976364"
          ]
        }
      ],
      "title": "CVE-2025-53835"
    },
    {
      "cve": "CVE-2025-53836",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2976360",
          "CSAFPID-2976361",
          "CSAFPID-2976359",
          "CSAFPID-2976364"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53836 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53836.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2976360",
            "CSAFPID-2976361",
            "CSAFPID-2976359",
            "CSAFPID-2976364"
          ]
        }
      ],
      "title": "CVE-2025-53836"
    }
  ]
}

FKIE_CVE-2025-53835

Vulnerability from fkie_nvd - Published: 2025-07-14 23:15 - Updated: 2025-08-26 17:52

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7	Patch
security-advisories@github.com	https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p	Patch, Third Party Advisory
security-advisories@github.com	https://jira.xwiki.org/browse/XRENDERING-660	Issue Tracking
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	xwiki	xwiki	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C29609B7-15B1-4866-A45A-A9DB0ECB21D3",
              "versionEndExcluding": "14.10",
              "versionStartIncluding": "5.4.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it\u0027s main purpose is testing and its use is quite difficult, this syntax shouldn\u0027t be installed or used on a regular wiki. There are no known workarounds apart from upgrading."
    },
    {
      "lang": "es",
      "value": "XWiki Rendering es un sistema de renderizado gen\u00e9rico que convierte la entrada de texto en una sintaxis dada (sintaxis wiki, HTML, etc.) en otra sintaxis (XHTML, etc.). A partir de la versi\u00f3n 5.4.5 y antes de la versi\u00f3n 14.10, la sintaxis XHTML depend\u00eda de la sintaxis `xdom+xml/current`, que permite la creaci\u00f3n de bloques sin procesar que permiten la inserci\u00f3n de contenido HTML arbitrario, incluyendo JavaScript. Esto permite ataques XSS para usuarios que pueden editar un documento como su perfil de usuario (habilitado por defecto). Esto se ha corregido en la versi\u00f3n 14.10 eliminando la dependencia de la sintaxis `xdom+xml/current` de la sintaxis XHTML. Tenga en cuenta que la sintaxis `xdom+xml` sigue siendo vulnerable a este ataque. Como su prop\u00f3sito principal es la prueba y su uso es bastante dif\u00edcil, esta sintaxis no debe instalarse ni usarse en una wiki normal. No hay soluciones alternativas conocidas aparte de la actualizaci\u00f3n."
    }
  ],
  "id": "CVE-2025-53835",
  "lastModified": "2025-08-26T17:52:40.370",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-14T23:15:25.090",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://jira.xwiki.org/browse/XRENDERING-660"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        },
        {
          "lang": "en",
          "value": "CWE-80"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-53835 (GCVE-0-2025-53835)

GHSA-W3WH-G4M9-783P

Impact

Patches

Workarounds

References

For more information

NCSC-2025-0231

FKIE_CVE-2025-53835

Tags

Sightings

Nomenclature