cvelistv5 - cve-2025-53836

CVE-2025-53836 (GCVE-0-2025-53836)

Vulnerability from cvelistv5 – Published: 2025-07-14 23:08 – Updated: 2025-07-15 19:49

Summary

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-863 - Incorrect Authorization
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-rendering/security…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-rendering/commit/c…	x_refsource_MISC
	https://jira.xwiki.org/browse/XRENDERING-689	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-20375	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-rendering	Affected: >= 4.2-milestone-1, < 13.10.11 Affected: >= 14.0, < 14.4.7 Affected: >= 14.5, < 14.10

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53836",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-15T13:24:52.433487Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-15T19:49:20.208Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-rendering",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.2-milestone-1, \u003c 13.10.11"
            },
            {
              "status": "affected",
              "version": "\u003e= 14.0, \u003c 14.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 14.5, \u003c 14.10"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn\u0027t preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-14T23:08:34.071Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
        },
        {
          "name": "https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d"
        },
        {
          "name": "https://jira.xwiki.org/browse/XRENDERING-689",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XRENDERING-689"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-20375",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-20375"
        }
      ],
      "source": {
        "advisory": "GHSA-32mf-57h2-64x9",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki Rendering is vulnerable to RCE attacks when processing nested macros"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53836",
    "datePublished": "2025-07-14T23:08:34.071Z",
    "dateReserved": "2025-07-09T14:14:52.532Z",
    "dateUpdated": "2025-07-15T19:49:20.208Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53836\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-15T00:15:22.370\",\"lastModified\":\"2025-08-26T17:52:16.700\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn\u0027t preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.\"},{\"lang\":\"es\",\"value\":\"XWiki Rendering es un sistema de renderizado gen\u00e9rico que convierte la entrada textual en una sintaxis dada (sintaxis wiki, HTML, etc.) en otra sintaxis (XHTML, etc.). A partir de la versi\u00f3n 4.2-milestone-1 y anteriores a las versiones 13.10.11, 14.4.7 y 14.10, el analizador de contenido de macros predeterminado no conserva el atributo restringido del contexto de transformaci\u00f3n al ejecutar macros anidadas. Esto permite ejecutar macros que normalmente est\u00e1n prohibidas en modo restringido, en particular las macros de script. Las macros de cach\u00e9 y gr\u00e1ficos incluidas en XWiki utilizan esta funci\u00f3n vulnerable. Esto se ha corregido en XWiki 13.10.11, 14.4.7 y 14.10. Para evitar que se aproveche este fallo, se pueden desactivar los comentarios para usuarios no confiables hasta que se actualice a una versi\u00f3n corregida. Tenga en cuenta que los usuarios con permisos de edici\u00f3n podr\u00e1n a\u00f1adir comentarios a trav\u00e9s del editor de objetos, incluso si los comentarios se han desactivado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.3\",\"versionEndExcluding\":\"13.10.11\",\"matchCriteriaId\":\"0E92E140-D0A7-4CBD-AD0A-96B49A0C5320\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.0\",\"versionEndExcluding\":\"14.4.7\",\"matchCriteriaId\":\"FA3A5151-58FB-48CF-BFFB-5688608200C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"14.5\",\"versionEndExcluding\":\"14.10\",\"matchCriteriaId\":\"569EE28C-5C86-467F-A153-DD4B9BF0053D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:4.2:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"61814CC0-5C6A-469F-8436-F39577949E04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:4.2:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"CFC3527D-024A-47A6-9684-C37B9CF3AC76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:4.2:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC907C33-432E-4153-B1A2-9B8BF9167E1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:4.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EFF3A761-5E8B-447D-94D8-04895755876C\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XRENDERING-689\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-20375\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53836\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-15T13:24:52.433487Z\"}}}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-15T13:24:57.244Z\"}}], \"cna\": {\"title\": \"XWiki Rendering is vulnerable to RCE attacks when processing nested macros\", \"source\": {\"advisory\": \"GHSA-32mf-57h2-64x9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"xwiki\", \"product\": \"xwiki-rendering\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.2-milestone-1, \u003c 13.10.11\"}, {\"status\": \"affected\", \"version\": \"\u003e= 14.0, \u003c 14.4.7\"}, {\"status\": \"affected\", \"version\": \"\u003e= 14.5, \u003c 14.10\"}]}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9\", \"name\": \"https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d\", \"name\": \"https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XRENDERING-689\", \"name\": \"https://jira.xwiki.org/browse/XRENDERING-689\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-20375\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-20375\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn\u0027t preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863: Incorrect Authorization\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-14T23:08:34.071Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53836\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-15T19:49:20.208Z\", \"dateReserved\": \"2025-07-09T14:14:52.532Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-14T23:08:34.071Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-32MF-57H2-64X9

Vulnerability from github – Published: 2025-07-14 22:03 – Updated: 2025-07-15 00:35

Summary

XWiki Rendering is vulnerable to RCE attacks when processing nested macros

Details

Impact

The default macro content parser didn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. The following XWiki syntax, when used inside a comment in XWiki, demonstrates the privilege escalation from comment right to programming right and thus remote code execution (RCE) that is possible due to this:

{{cache}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/cache}}

This vulnerability exists since the restricted attribute has been added to the transformation context in version 4.2.

Patches

This has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

Workarounds

To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.

Resources

https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d
https://jira.xwiki.org/browse/XRENDERING-689
https://jira.xwiki.org/browse/XWIKI-20375

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

This vulnerability has been reported on Intigriti by René de Sain @renniepak.

Severity ?

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-transformation-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.2-milestone-1"
            },
            {
              "fixed": "13.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-transformation-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0"
            },
            {
              "fixed": "14.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-transformation-macro"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53836"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-14T22:03:06Z",
    "nvd_published_at": "2025-07-15T00:15:22Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nThe default macro content parser didn\u0027t preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The [cache](https://extensions.xwiki.org/xwiki/bin/view/Extension/Cache%20Macro) and [chart](https://extensions.xwiki.org/xwiki/bin/view/Extension/Chart%20Macro) macros that are bundled in XWiki use the vulnerable feature. The following XWiki syntax, when used inside a comment in XWiki, demonstrates the privilege escalation from comment right to programming right and thus remote code execution (RCE) that is possible due to this:\n\n```\n{{cache}}{{groovy}}println(\"Hello from Groovy!\"){{/groovy}}{{/cache}}\n```\n\nThis vulnerability exists since the restricted attribute has been added to the transformation context in version 4.2.\n\n### Patches\nThis has been patched in XWiki 13.10.11, 14.4.7 and 14.10.\n\n### Workarounds\nTo avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.\n\n### Resources\n* https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d\n* https://jira.xwiki.org/browse/XRENDERING-689\n* https://jira.xwiki.org/browse/XWIKI-20375\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThis vulnerability has been reported on Intigriti by Ren\u00e9 de Sain @renniepak.",
  "id": "GHSA-32mf-57h2-64x9",
  "modified": "2025-07-15T00:35:24Z",
  "published": "2025-07-14T22:03:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53836"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-rendering"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XRENDERING-689"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20375"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Rendering is vulnerable to RCE attacks when processing nested macros"
}

NCSC-2025-0231

Vulnerability from csaf_ncscnl - Published: 2025-07-17 12:35 - Updated: 2025-07-17 12:35

Summary

Kwetsbaarheden verholpen in XWiki

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

XWiki heeft kwetsbaarheden verholpen in het rendering systeem en de standaard macro content parser.

Interpretaties

De kwetsbaarheden in het XWiki rendering systeem stelden aanvallers in staat om XSS-aanvallen uit te voeren door de afhankelijkheid van de `xdom+xml/current` syntax. Deze kwetsbaarheid is verholpen in versie 14.10. Daarnaast waren er kwetsbaarheden in de standaard macro content parser die leidden tot privilege-escalatie en remote code execution door problemen met geneste macro's. Deze zijn gepatcht in de versies 13.10.11, 14.4.7 en 14.10. De aanvaller kon ongeautoriseerde macro's uitvoeren door de restricties in de macro content parser te omzeilen.

Oplossingen

XWiki heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.

Kans

medium

Schade

high

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-863

Incorrect Authorization

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "XWiki heeft kwetsbaarheden verholpen in het rendering systeem en de standaard macro content parser.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "De kwetsbaarheden in het XWiki rendering systeem stelden aanvallers in staat om XSS-aanvallen uit te voeren door de afhankelijkheid van de `xdom+xml/current` syntax. Deze kwetsbaarheid is verholpen in versie 14.10. Daarnaast waren er kwetsbaarheden in de standaard macro content parser die leidden tot privilege-escalatie en remote code execution door problemen met geneste macro\u0027s. Deze zijn gepatcht in de versies 13.10.11, 14.4.7 en 14.10. De aanvaller kon ongeautoriseerde macro\u0027s uitvoeren door de restricties in de macro content parser te omzeilen.",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "XWiki heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
        "title": "CWE-80"
      },
      {
        "category": "general",
        "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
        "title": "CWE-94"
      },
      {
        "category": "general",
        "text": "Incorrect Authorization",
        "title": "CWE-863"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
        "title": "CWE-79"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; github; nvd",
        "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
      },
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; github; nvd",
        "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
      }
    ],
    "title": "Kwetsbaarheden verholpen in XWiki",
    "tracking": {
      "current_release_date": "2025-07-17T12:35:48.998487Z",
      "generator": {
        "date": "2025-06-05T14:45:00Z",
        "engine": {
          "name": "V.A.",
          "version": "1.1"
        }
      },
      "id": "NCSC-2025-0231",
      "initial_release_date": "2025-07-17T12:35:48.998487Z",
      "revision_history": [
        {
          "date": "2025-07-17T12:35:48.998487Z",
          "number": "1.0.0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=14.0|\u003c14.4.7",
                "product": {
                  "name": "vers:unknown/\u003e=14.0|\u003c14.4.7",
                  "product_id": "CSAFPID-2976360"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=14.5|\u003c14.10",
                "product": {
                  "name": "vers:unknown/\u003e=14.5|\u003c14.10",
                  "product_id": "CSAFPID-2976361"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=4.2-milestone-1|\u003c13.10.11",
                "product": {
                  "name": "vers:unknown/\u003e=4.2-milestone-1|\u003c13.10.11",
                  "product_id": "CSAFPID-2976359"
                }
              },
              {
                "category": "product_version_range",
                "name": "vers:unknown/\u003e=5.4.5|\u003c14.10",
                "product": {
                  "name": "vers:unknown/\u003e=5.4.5|\u003c14.10",
                  "product_id": "CSAFPID-2976364"
                }
              }
            ],
            "category": "product_name",
            "name": "Xwiki-rendering"
          }
        ],
        "category": "vendor",
        "name": "XWiki"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-53835",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "title": "CWE-79"
        },
        {
          "category": "other",
          "text": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
          "title": "CWE-80"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2976360",
          "CSAFPID-2976361",
          "CSAFPID-2976359",
          "CSAFPID-2976364"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53835 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53835.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.0,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2976360",
            "CSAFPID-2976361",
            "CSAFPID-2976359",
            "CSAFPID-2976364"
          ]
        }
      ],
      "title": "CVE-2025-53835"
    },
    {
      "cve": "CVE-2025-53836",
      "cwe": {
        "id": "CWE-94",
        "name": "Improper Control of Generation of Code (\u0027Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
          "title": "CWE-94"
        },
        {
          "category": "other",
          "text": "Incorrect Authorization",
          "title": "CWE-863"
        },
        {
          "category": "general",
          "text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
          "title": "CVSSV4"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-2976360",
          "CSAFPID-2976361",
          "CSAFPID-2976359",
          "CSAFPID-2976364"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2025-53836 | NCSC-NL Website",
          "url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-53836.json"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-2976360",
            "CSAFPID-2976361",
            "CSAFPID-2976359",
            "CSAFPID-2976364"
          ]
        }
      ],
      "title": "CVE-2025-53836"
    }
  ]
}

FKIE_CVE-2025-53836

Vulnerability from fkie_nvd - Published: 2025-07-15 00:15 - Updated: 2025-08-26 17:52

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d	Patch
security-advisories@github.com	https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9	Third Party Advisory
security-advisories@github.com	https://jira.xwiki.org/browse/XRENDERING-689	Exploit, Issue Tracking
security-advisories@github.com	https://jira.xwiki.org/browse/XWIKI-20375	Exploit, Issue Tracking
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9	Third Party Advisory

Impacted products

Vendor	Product	Version
xwiki	xwiki	*
xwiki	xwiki	*
xwiki	xwiki	*
xwiki	xwiki	4.2
xwiki	xwiki	4.2
xwiki	xwiki	4.2
xwiki	xwiki	4.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0E92E140-D0A7-4CBD-AD0A-96B49A0C5320",
              "versionEndExcluding": "13.10.11",
              "versionStartIncluding": "4.3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA3A5151-58FB-48CF-BFFB-5688608200C8",
              "versionEndExcluding": "14.4.7",
              "versionStartIncluding": "14.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "569EE28C-5C86-467F-A153-DD4B9BF0053D",
              "versionEndExcluding": "14.10",
              "versionStartIncluding": "14.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:4.2:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "61814CC0-5C6A-469F-8436-F39577949E04",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:4.2:milestone2:*:*:*:*:*:*",
              "matchCriteriaId": "CFC3527D-024A-47A6-9684-C37B9CF3AC76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:4.2:milestone3:*:*:*:*:*:*",
              "matchCriteriaId": "BC907C33-432E-4153-B1A2-9B8BF9167E1B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:4.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "EFF3A761-5E8B-447D-94D8-04895755876C",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn\u0027t preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled."
    },
    {
      "lang": "es",
      "value": "XWiki Rendering es un sistema de renderizado gen\u00e9rico que convierte la entrada textual en una sintaxis dada (sintaxis wiki, HTML, etc.) en otra sintaxis (XHTML, etc.). A partir de la versi\u00f3n 4.2-milestone-1 y anteriores a las versiones 13.10.11, 14.4.7 y 14.10, el analizador de contenido de macros predeterminado no conserva el atributo restringido del contexto de transformaci\u00f3n al ejecutar macros anidadas. Esto permite ejecutar macros que normalmente est\u00e1n prohibidas en modo restringido, en particular las macros de script. Las macros de cach\u00e9 y gr\u00e1ficos incluidas en XWiki utilizan esta funci\u00f3n vulnerable. Esto se ha corregido en XWiki 13.10.11, 14.4.7 y 14.10. Para evitar que se aproveche este fallo, se pueden desactivar los comentarios para usuarios no confiables hasta que se actualice a una versi\u00f3n corregida. Tenga en cuenta que los usuarios con permisos de edici\u00f3n podr\u00e1n a\u00f1adir comentarios a trav\u00e9s del editor de objetos, incluso si los comentarios se han desactivado."
    }
  ],
  "id": "CVE-2025-53836",
  "lastModified": "2025-08-26T17:52:16.700",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-07-15T00:15:22.370",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://jira.xwiki.org/browse/XRENDERING-689"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking"
      ],
      "url": "https://jira.xwiki.org/browse/XWIKI-20375"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-53836 (GCVE-0-2025-53836)

GHSA-32MF-57H2-64X9

Impact

Patches

Workarounds

Resources

For more information

Attribution

NCSC-2025-0231

FKIE_CVE-2025-53836

Tags

Sightings

Nomenclature