ghsa-w3wh-g4m9-783p
Vulnerability from github
Published
2025-07-14 21:40
Modified
2025-07-15 00:34
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax
Details

Impact

The XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). The attack works by setting the document's syntax to xdom+xml/current and then inserting content like <document><p><metadata><metadata><entry><string>syntax</string><org.xwiki.rendering.syntax.Syntax><type><name>XHTML</name><id>xhtml</id><variants class="empty-list"></variants></type><version>5</version></org.xwiki.rendering.syntax.Syntax></entry></metadata></metadata></p><rawtext syntax="html/5.0" content="&lt;script&gt;alert(1);&lt;/script&gt;"></rawtext></document>

This has been fixed by removing the dependency on the xdom+xml/current syntax from the XHTML syntax. Note that the xdom+xml syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. We're currently not aware of any further dependencies on it.

Patches

The fix of removing the dependency has been included in XWiki 14.10. It is not released for earlier versions due to the potential breakages, among others this change makes it necessary to update the Confluence XHTML syntax as it relies on internals that were changed for the fix. Similar XSS fixes were also not applied to the LTS version 13.10.x due to the potential breakages.

Workarounds

There are no known workarounds apart from upgrading.

References

  • https://jira.xwiki.org/browse/XRENDERING-660
  • https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.rendering:xwiki-rendering-syntax-xhtml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.4.5"
            },
            {
              "fixed": "14.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-53835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-14T21:40:21Z",
    "nvd_published_at": "2025-07-14T23:15:25Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). The attack works by setting the document\u0027s syntax to `xdom+xml/current` and then inserting content like\n```\n\u003cdocument\u003e\u003cp\u003e\u003cmetadata\u003e\u003cmetadata\u003e\u003centry\u003e\u003cstring\u003esyntax\u003c/string\u003e\u003corg.xwiki.rendering.syntax.Syntax\u003e\u003ctype\u003e\u003cname\u003eXHTML\u003c/name\u003e\u003cid\u003exhtml\u003c/id\u003e\u003cvariants class=\"empty-list\"\u003e\u003c/variants\u003e\u003c/type\u003e\u003cversion\u003e5\u003c/version\u003e\u003c/org.xwiki.rendering.syntax.Syntax\u003e\u003c/entry\u003e\u003c/metadata\u003e\u003c/metadata\u003e\u003c/p\u003e\u003crawtext syntax=\"html/5.0\" content=\"\u0026lt;script\u0026gt;alert(1);\u0026lt;/script\u0026gt;\"\u003e\u003c/rawtext\u003e\u003c/document\u003e\n```\n\nThis has been fixed by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it\u0027s main purpose is testing and its use is quite difficult, this syntax shouldn\u0027t be installed or used on a regular wiki. We\u0027re currently not aware of any further dependencies on it.\n\n### Patches\nThe fix of removing the dependency has been included in XWiki 14.10. It is not released for earlier versions due to the potential breakages, among others this change makes it necessary to update the [Confluence XHTML syntax](https://extensions.xwiki.org/xwiki/bin/view/Extension/Confluence/Syntax%20XHTML/) as it relies on internals that were changed for the fix. Similar XSS fixes were also not applied to the LTS version 13.10.x due to the potential breakages.\n\n### Workarounds\nThere are no known workarounds apart from upgrading.\n\n### References\n* https://jira.xwiki.org/browse/XRENDERING-660\n* https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-w3wh-g4m9-783p",
  "modified": "2025-07-15T00:34:58Z",
  "published": "2025-07-14T21:40:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-rendering/commit/a4ca31f99f524b9456c64150d6f375984aa81ea7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-rendering"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XRENDERING-660"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.