GHSA-GWJ6-XPFG-PXWR
Vulnerability from github – Published: 2025-09-08 20:59 – Updated: 2025-09-10 21:05
VLAI?
Summary
XWiki Blog Application: Privilege Escalation (PR) from account through blog content
Details
Impact
The blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type Blog.BlogPostClass to any page and to add some script macro with the exploit code to the "Content" field of that object.
Patches
The vulnerability has been patched in the blog application version 9.14 by executing the content of blog posts with the rights of the appropriate author.
Workarounds
We're not aware of any workarounds.
Resources
- https://jira.xwiki.org/browse/BLOG-191
- https://github.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.contrib.blog:application-blog-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58365"
],
"database_specific": {
"cwe_ids": [
"CWE-250",
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-08T20:59:47Z",
"nvd_published_at": "2025-09-08T22:15:34Z",
"severity": "HIGH"
},
"details": "### Impact\nThe blog application in XWiki allowed remote code execution for any user who has edit right on any page. Normally, these are all logged-in users as they can edit their own user profile. To exploit, it is sufficient to add an object of type `Blog.BlogPostClass` to any page and to add some script macro with the exploit code to the \"Content\" field of that object.\n\n### Patches\nThe vulnerability has been patched in the blog application version 9.14 by executing the content of blog posts with the rights of the appropriate author.\n\n### Workarounds\nWe\u0027re not aware of any workarounds.\n\n### Resources\n* https://jira.xwiki.org/browse/BLOG-191\n* https://github.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4",
"id": "GHSA-gwj6-xpfg-pxwr",
"modified": "2025-09-10T21:05:21Z",
"published": "2025-09-08T20:59:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki-contrib/application-blog/security/advisories/GHSA-gwj6-xpfg-pxwr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58365"
},
{
"type": "WEB",
"url": "https://github.com/xwiki-contrib/application-blog/commit/b98ab6f17da3029576f42d12b4442cd555c7e0b4"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki-contrib/application-blog"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/BLOG-191"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki Blog Application: Privilege Escalation (PR) from account through blog content"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…