GHSA-JM43-HRQ7-R7W6

Vulnerability from github – Published: 2025-06-13 20:24 – Updated: 2025-06-13 20:24
VLAI?
Summary
XWiki allows privilege escalation through link refactoring
Details

Impact

Pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability affects all version of XWiki since 8.2 and 7.4.5.

Patches

The patch consists in only setting the originalMetadataAuthor when performing such change, so that it's displayed in the history but it has no impact on the right evaluation (i.e. the original author of the changes is still used for right computation).

This patch has been applied on XWiki 16.4.7, 17.1.0RC1, 16.10.4.

Workarounds

There's no workaround for this vulnerability, except preventing to perform any refactoring operation with users having more than edit rights. Administrators are strongly advised to upgrade. If not possible, the patch only impacts module xwiki-platform-refactoring-default so it's possible to apply the commit and rebuild and deploy only that module.

CVSS explanation

Attack vector: Network - Always for XWiki. Complexity: Low - The set of operations to perform the attack is quite easy. Attack requirements: None - Any system is vulnerable, it doesn't depend on specific condition other than user interaction. Privileges required: Low - The attacker only needs edit rights. User interaction: Active - To be successful the attack needs someone with more rights to perform a move/rename of a specific page. Confidentiality: High - The attack might lead to execution of any script. Integrity: High - The attack might lead to execution of any script. Availability: High - The attack might lead to execution of any script. Subsequent system impacts: None for any criteria. Only current system is affected.

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Severity ?
8.5 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.1.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.2"
            },
            {
              "fixed": "16.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0-milestone-1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-13T20:24:24Z",
    "nvd_published_at": "2025-06-13T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nPages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. \nThis vulnerability affects all version of XWiki since 8.2 and 7.4.5.\n\n### Patches\n\nThe patch consists in only setting the `originalMetadataAuthor` when performing such change, so that it\u0027s displayed in the history but it has no impact on the right evaluation (i.e. the original author of the changes is still used for right computation). \n\nThis patch has been applied on XWiki 16.4.7, 17.1.0RC1, 16.10.4.\n\n### Workarounds\n\nThere\u0027s no workaround for this vulnerability, except preventing to perform any refactoring operation with users having more than edit rights. \nAdministrators are strongly advised to upgrade. If not possible, the patch only impacts module `xwiki-platform-refactoring-default` so it\u0027s possible to apply the commit and rebuild and deploy only that module.\n\n### CVSS explanation\n\nAttack vector: Network - Always for XWiki.\nComplexity: Low - The set of operations to perform the attack is quite easy.\nAttack requirements: None - Any system is vulnerable, it doesn\u0027t depend on specific condition other than user interaction.\nPrivileges required: Low - The attacker only needs edit rights.\nUser interaction: Active - To be successful the attack needs someone with more rights to perform a move/rename of a specific page.\nConfidentiality: High - The attack might lead to execution of any script.\nIntegrity: High - The attack might lead to execution of any script.\nAvailability: High - The attack might lead to execution of any script.\nSubsequent system impacts: None for any criteria. Only current system is affected.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-jm43-hrq7-r7w6",
  "modified": "2025-06-13T20:24:24Z",
  "published": "2025-06-13T20:24:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22836"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki allows privilege escalation through link refactoring"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.