Vulnerability-Lookup

WID-SEC-W-2025-1324

Vulnerability from csaf_certbund - Published: 2025-06-12 22:00 - Updated: 2025-06-12 22:00

Summary

xwiki: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: XWiki ist eine Open-Source-Wiki-Software-Plattform, für die Erstellung und Verwaltung von Wikis und Knowledge-Management-Systemen

Angriff: Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in xwiki ausnutzen, um seine Privilegien zu erhöhen, beliebigen Programmcode auszuführen, Informationen auszuspähen, Cross-Site-Scripting auszuführen oder weitere nicht spezifizierte Auswirkungen zu erzielen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2025-49580

CVE-2025-49581

CVE-2025-49582

CVE-2025-49583

CVE-2025-49584

CVE-2025-49585

CVE-2025-49586

CVE-2025-49587

References

URL

CVE-2025-49582 (GCVE-0-2025-49582)

Vulnerability from cvelistv5 – Published: 2025-06-13 16:41 – Updated: 2025-06-13 17:34

Title

XWiki's required right warnings for macros are incomplete

Summary

XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0.

Severity ?

8.6 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-357 - Insufficient UI Warning of Dangerous Operations

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/0a…	x_refsource_MISC
	https://github.com/xwiki/xwiki-platform/commit/3d…	x_refsource_MISC
	https://github.com/xwiki/xwiki-platform/commit/ab…	x_refsource_MISC
	https://github.com/xwiki/xwiki-platform/commit/cc…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22758	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22759	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22763	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22799	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 15.9-rc-1, < 16.4.7 Affected: >= 16.5.0-rc-1, < 16.10.3 Affected: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49582",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T17:22:59.033297Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T17:23:46.285Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.9-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. When editing content that contains \"dangerous\" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don\u0027t consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren\u0027t analyzed at all. Similarly, the \"source\" parameters of the content and context macro weren\u0027t anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:34:44.816Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/3d451e957fe2b14459e9ac64172b4a0e4c46971c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/3d451e957fe2b14459e9ac64172b4a0e4c46971c"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/cc74dc802efe0e2d3fa2ba3355dbadc51c5fd8c7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/cc74dc802efe0e2d3fa2ba3355dbadc51c5fd8c7"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22758",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22758"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22759",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22759"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22763",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22763"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22799",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22799"
        }
      ],
      "source": {
        "advisory": "GHSA-c32m-27pj-4xcj",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki\u0027s required right warnings for macros are incomplete"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49582",
    "datePublished": "2025-06-13T16:41:45.131Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-13T17:34:44.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49585 (GCVE-0-2025-49585)

Vulnerability from cvelistv5 – Published: 2025-06-13 17:33 – Updated: 2025-06-13 18:02

Title

XWiki does not require right warnings for XClass definitions

Summary

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

Severity ?

8.6 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

CWE

CWE-357 - Insufficient UI Warning of Dangerous Operations

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/38…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22476	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: < 15.10.16 Affected: >= 16.0.0-rc-1, < 16.4.7 Affected: >= 16.5.0-rc-1, < 16.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49585",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T17:59:17.152454Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:02:11.331Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15.10.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:33:34.357Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22476",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22476"
        }
      ],
      "source": {
        "advisory": "GHSA-59w6-r9hm-439h",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki does not require right warnings for XClass definitions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49585",
    "datePublished": "2025-06-13T17:33:34.357Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:02:11.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49581 (GCVE-0-2025-49581)

Vulnerability from cvelistv5 – Published: 2025-06-13 16:09 – Updated: 2025-06-13 16:29

Title

XWiki allows remote code execution through default value of wiki macro wiki-type parameters

Summary

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-270 - Privilege Context Switching Error
CWE-250 - Execution with Unnecessary Privileges

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/c9…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22760	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 11.10.11, < 12.0 Affected: >= 12.6.3, < 12.7 Affected: >= 12.8-rc-1, < 16.4.7 Affected: >= 16.5.0-rc-1, < 16.10.3 Affected: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49581",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T16:24:56.018895Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T16:29:33.031Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 11.10.11, \u003c 12.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 12.6.3, \u003c 12.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 12.8-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. Any user with edit right on a page (could be the user\u0027s profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro\u0027s author when the parameter\u0027s value is the default value."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-250",
              "description": "CWE-250: Execution with Unnecessary Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T16:09:22.997Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22760",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22760"
        }
      ],
      "source": {
        "advisory": "GHSA-9875-cw22-f7cx",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki allows remote code execution through default value of wiki macro wiki-type parameters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49581",
    "datePublished": "2025-06-13T16:09:22.997Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-13T16:29:33.031Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49583 (GCVE-0-2025-49583)

Vulnerability from cvelistv5 – Published: 2025-06-13 17:04 – Updated: 2025-06-13 18:22

Title

XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right

Summary

XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-270 - Privilege Context Switching Error
CWE-357 - Insufficient UI Warning of Dangerous Operations

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/3d…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22471	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: < 15.10.16 Affected: >= 16.0.0-rc-1, < 16.4.7 Affected: >= 16.5.0-rc-1, < 16.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49583",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:21:50.968410Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:22:11.872Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15.10.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:34:11.350Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22471",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22471"
        }
      ],
      "source": {
        "advisory": "GHSA-ff6v-w58f-v97w",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49583",
    "datePublished": "2025-06-13T17:04:49.975Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:22:11.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49584 (GCVE-0-2025-49584)

Vulnerability from cvelistv5 – Published: 2025-06-13 17:21 – Updated: 2025-06-13 18:20

Title

XWiki makes title of inaccessible pages available through the class property values REST API

Summary

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-201 - Insertion of Sensitive Information Into Sent Data

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/ee…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22736	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 10.9, < 16.4.7 Affected: >= 16.5.0-rc-1, < 16.10.3 Affected: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49584",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:19:47.734822Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:20:04.000Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.9, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn\u0027t affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:21:33.575Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22736",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22736"
        }
      ],
      "source": {
        "advisory": "GHSA-mvp5-qx9c-c3fv",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki makes title of inaccessible pages available through the class property values REST API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49584",
    "datePublished": "2025-06-13T17:21:33.575Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:20:04.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49586 (GCVE-0-2025-49586)

Vulnerability from cvelistv5 – Published: 2025-06-13 17:47 – Updated: 2025-06-13 18:07

Title

XWiki allows remote code execution through preview of XClass changes in AWM editor

Summary

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-863 - Incorrect Authorization

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/ef…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22719	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 7.2-milestone-2, < 16.4.7 Affected: >= 16.5.0-rc-1, < 16.10.3 Affected: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49586",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:07:25.244627Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:07:37.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.2-milestone-2, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:47:07.105Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22719",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22719"
        }
      ],
      "source": {
        "advisory": "GHSA-jp4x-w9cj-97q7",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki allows remote code execution through preview of XClass changes in AWM editor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49586",
    "datePublished": "2025-06-13T17:47:07.105Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:07:37.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49580 (GCVE-0-2025-49580)

Vulnerability from cvelistv5 – Published: 2025-06-13 15:45 – Updated: 2025-06-13 18:09

Title

XWiki allows privilege escalation through link refactoring

Summary

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.

Severity ?

8.5 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-266 - Incorrect Privilege Assignment

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/ab…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22836	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 17.0.0-rc-1, < 17.1.0-rc-1 Affected: >= 16.5.0-rc-1, < 16.10.4 Affected: >= 8.2, < 16.4.7 Affected: >= 7.4.5, < 8.0-milestone-1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49580",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:08:56.660431Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:09:04.665Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.1.0-rc-1"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.2, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.4.5, \u003c 8.0-milestone-1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266: Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T15:45:58.451Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22836",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22836"
        }
      ],
      "source": {
        "advisory": "GHSA-jm43-hrq7-r7w6",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki allows privilege escalation through link refactoring"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49580",
    "datePublished": "2025-06-13T15:45:58.451Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-13T18:09:04.665Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49587 (GCVE-0-2025-49587)

Vulnerability from cvelistv5 – Published: 2025-06-13 17:51 – Updated: 2025-06-13 18:05

Title

XWiki does not require right warnings for notification displayer objects

Summary

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

Severity ?

6.4 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

CWE

CWE-357 - Insufficient UI Warning of Dangerous Operations

Assigner

GitHub_M

References

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/…	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/55…	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22470	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Affected: >= 15.9-rc-1, < 15.10.16 Affected: >= 16.0.0-rc-1, < 16.4.7 Affected: >= 16.5.0-rc-1, < 16.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49587",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:05:10.530833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:05:28.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.9-rc-1, \u003c 15.10.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:51:48.163Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22470",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22470"
        }
      ],
      "source": {
        "advisory": "GHSA-j7p2-87q3-44w7",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki does not require right warnings for notification displayer objects"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49587",
    "datePublished": "2025-06-13T17:51:48.163Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:05:28.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

WID-SEC-W-2025-1324

CVE-2025-49582 (GCVE-0-2025-49582)

CVE-2025-49585 (GCVE-0-2025-49585)

CVE-2025-49581 (GCVE-0-2025-49581)

CVE-2025-49583 (GCVE-0-2025-49583)

CVE-2025-49584 (GCVE-0-2025-49584)

CVE-2025-49586 (GCVE-0-2025-49586)

CVE-2025-49580 (GCVE-0-2025-49580)

CVE-2025-49587 (GCVE-0-2025-49587)

Tags

Sightings

Nomenclature