csaf_certbund - wid-sec-w-2025-1324

wid-sec-w-2025-1324

Vulnerability from csaf_certbund

Published

2025-06-12 22:00

Modified

2025-06-12 22:00

Summary

xwiki: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

XWiki ist eine Open-Source-Wiki-Software-Plattform, für die Erstellung und Verwaltung von Wikis und Knowledge-Management-Systemen

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in xwiki ausnutzen, um seine Privilegien zu erhöhen, beliebigen Programmcode auszuführen, Informationen auszuspähen, Cross-Site-Scripting auszuführen oder weitere nicht spezifizierte Auswirkungen zu erzielen.

Betroffene Betriebssysteme

- Linux - Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "XWiki ist eine Open-Source-Wiki-Software-Plattform, f\u00fcr die Erstellung und Verwaltung von Wikis und Knowledge-Management-Systemen",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in xwiki ausnutzen, um seine Privilegien zu erh\u00f6hen, beliebigen Programmcode auszuf\u00fchren, Informationen auszusp\u00e4hen, Cross-Site-Scripting auszuf\u00fchren oder weitere nicht spezifizierte Auswirkungen zu erzielen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1324 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1324.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1324 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1324"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-jm43-hrq7-r7w6 vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-9875-cw22-f7cx vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-c32m-27pj-4xcj vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-ff6v-w58f-v97w vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-mvp5-qx9c-c3fv vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-59w6-r9hm-439h vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-jp4x-w9cj-97q7 vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-j7p2-87q3-44w7 vom 2025-06-12",
        "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7"
      }
    ],
    "source_lang": "en-US",
    "title": "xwiki: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-12T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-13T10:58:37.150+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1324",
      "initial_release_date": "2025-06-12T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-06-12T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c16.4.7",
                "product": {
                  "name": "Open Source xwiki \u003c16.4.7",
                  "product_id": "T044619"
                }
              },
              {
                "category": "product_version",
                "name": "16.4.7",
                "product": {
                  "name": "Open Source xwiki 16.4.7",
                  "product_id": "T044619-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.4.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c17.1.0-rc-1",
                "product": {
                  "name": "Open Source xwiki \u003c17.1.0-rc-1",
                  "product_id": "T044620"
                }
              },
              {
                "category": "product_version",
                "name": "17.1.0-rc-1",
                "product": {
                  "name": "Open Source xwiki 17.1.0-rc-1",
                  "product_id": "T044620-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:17.1.0-rc-1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.10.4",
                "product": {
                  "name": "Open Source xwiki \u003c16.10.4",
                  "product_id": "T044621"
                }
              },
              {
                "category": "product_version",
                "name": "16.10.4",
                "product": {
                  "name": "Open Source xwiki 16.10.4",
                  "product_id": "T044621-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.10.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.10.3",
                "product": {
                  "name": "Open Source xwiki \u003c16.10.3",
                  "product_id": "T044622"
                }
              },
              {
                "category": "product_version",
                "name": "16.10.3",
                "product": {
                  "name": "Open Source xwiki 16.10.3",
                  "product_id": "T044622-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.10.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c17.0.0",
                "product": {
                  "name": "Open Source xwiki \u003c17.0.0",
                  "product_id": "T044623"
                }
              },
              {
                "category": "product_version",
                "name": "17.0.0",
                "product": {
                  "name": "Open Source xwiki 17.0.0",
                  "product_id": "T044623-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:17.0.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c15.10.16",
                "product": {
                  "name": "Open Source xwiki \u003c15.10.16",
                  "product_id": "T044624"
                }
              },
              {
                "category": "product_version",
                "name": "15.10.16",
                "product": {
                  "name": "Open Source xwiki 15.10.16",
                  "product_id": "T044624-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:15.10.16"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.10.2",
                "product": {
                  "name": "Open Source xwiki \u003c16.10.2",
                  "product_id": "T044625"
                }
              },
              {
                "category": "product_version",
                "name": "16.10.2",
                "product": {
                  "name": "Open Source xwiki 16.10.2",
                  "product_id": "T044625-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.10.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "xwiki"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-49580",
      "product_status": {
        "known_affected": [
          "T044621",
          "T044620",
          "T044623",
          "T044622",
          "T044625",
          "T044624",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49580"
    },
    {
      "cve": "CVE-2025-49581",
      "product_status": {
        "known_affected": [
          "T044623",
          "T044622",
          "T044625",
          "T044624",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49581"
    },
    {
      "cve": "CVE-2025-49582",
      "product_status": {
        "known_affected": [
          "T044623",
          "T044622",
          "T044625",
          "T044624",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49582"
    },
    {
      "cve": "CVE-2025-49583",
      "product_status": {
        "known_affected": [
          "T044625",
          "T044624",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49583"
    },
    {
      "cve": "CVE-2025-49584",
      "product_status": {
        "known_affected": [
          "T044623",
          "T044622",
          "T044625",
          "T044624",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49584"
    },
    {
      "cve": "CVE-2025-49585",
      "product_status": {
        "known_affected": [
          "T044625",
          "T044624",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49585"
    },
    {
      "cve": "CVE-2025-49586",
      "product_status": {
        "known_affected": [
          "T044623",
          "T044622",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49586"
    },
    {
      "cve": "CVE-2025-49587",
      "product_status": {
        "known_affected": [
          "T044625",
          "T044624",
          "T044619"
        ]
      },
      "release_date": "2025-06-12T22:00:00.000+00:00",
      "title": "CVE-2025-49587"
    }
  ]
}

CVE-2025-49581 (GCVE-0-2025-49581)

Vulnerability from cvelistv5

Published

2025-06-13 16:09

Modified

2025-06-13 16:29

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-270 - Privilege Context Switching Error
CWE-250 - Execution with Unnecessary Privileges

Summary

XWiki is a generic wiki platform. Any user with edit right on a page (could be the user's profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro's author when the parameter's value is the default value.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22760	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 11.10.11, < 12.0 Version: >= 12.6.3, < 12.7 Version: >= 12.8-rc-1, < 16.4.7 Version: >= 16.5.0-rc-1, < 16.10.3 Version: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49581",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T16:24:56.018895Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T16:29:33.031Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 11.10.11, \u003c 12.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 12.6.3, \u003c 12.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 12.8-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. Any user with edit right on a page (could be the user\u0027s profile) can execute code (Groovy, Python, Velocity) with programming right by defining a wiki macro. This allows full access to the whole XWiki installation. The main problem is that if a wiki macro parameter allows wiki syntax, its default value is executed with the rights of the author of the document where it is used. This can be exploited by overriding a macro like the children macro that is used in a page that has programming right like the page XWiki.ChildrenMacro and thus allows arbitrary script macros. This vulnerability has been patched in XWiki 16.4.7, 16.10.3 and 17.0.0 by executing wiki parameters with the rights of the wiki macro\u0027s author when the parameter\u0027s value is the default value."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-250",
              "description": "CWE-250: Execution with Unnecessary Privileges",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T16:09:22.997Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9875-cw22-f7cx"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/c99d501ed41cbee6a3c02ff927714531570789de"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22760",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22760"
        }
      ],
      "source": {
        "advisory": "GHSA-9875-cw22-f7cx",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki allows remote code execution through default value of wiki macro wiki-type parameters"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49581",
    "datePublished": "2025-06-13T16:09:22.997Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-13T16:29:33.031Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49585 (GCVE-0-2025-49585)

Vulnerability from cvelistv5

Published

2025-06-13 17:33

Modified

2025-06-13 18:02

Severity ?

8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

CWE

CWE-357 - Insufficient UI Warning of Dangerous Operations

Summary

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22476	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: < 15.10.16 Version: >= 16.0.0-rc-1, < 16.4.7 Version: >= 16.5.0-rc-1, < 16.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49585",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T17:59:17.152454Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:02:11.331Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15.10.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:33:34.357Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22476",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22476"
        }
      ],
      "source": {
        "advisory": "GHSA-59w6-r9hm-439h",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki does not require right warnings for XClass definitions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49585",
    "datePublished": "2025-06-13T17:33:34.357Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:02:11.331Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49586 (GCVE-0-2025-49586)

Vulnerability from cvelistv5

Published

2025-06-13 17:47

Modified

2025-06-13 18:07

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-863 - Incorrect Authorization

Summary

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22719	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 7.2-milestone-2, < 16.4.7 Version: >= 16.5.0-rc-1, < 16.10.3 Version: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49586",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:07:25.244627Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:07:37.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.2-milestone-2, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:47:07.105Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22719",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22719"
        }
      ],
      "source": {
        "advisory": "GHSA-jp4x-w9cj-97q7",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki allows remote code execution through preview of XClass changes in AWM editor"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49586",
    "datePublished": "2025-06-13T17:47:07.105Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:07:37.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49583 (GCVE-0-2025-49583)

Vulnerability from cvelistv5

Published

2025-06-13 17:04

Modified

2025-06-13 18:22

Severity ?

5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-270 - Privilege Context Switching Error
CWE-357 - Insufficient UI Warning of Dangerous Operations

Summary

XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22471	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: < 15.10.16 Version: >= 16.0.0-rc-1, < 16.4.7 Version: >= 16.5.0-rc-1, < 16.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49583",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:21:50.968410Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:22:11.872Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 15.10.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-270",
              "description": "CWE-270: Privilege Context Switching Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:34:11.350Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22471",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22471"
        }
      ],
      "source": {
        "advisory": "GHSA-ff6v-w58f-v97w",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49583",
    "datePublished": "2025-06-13T17:04:49.975Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:22:11.872Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49580 (GCVE-0-2025-49580)

Vulnerability from cvelistv5

Published

2025-06-13 15:45

Modified

2025-06-13 18:09

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-266 - Incorrect Privilege Assignment

Summary

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22836	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 17.0.0-rc-1, < 17.1.0-rc-1 Version: >= 16.5.0-rc-1, < 16.10.4 Version: >= 8.2, < 16.4.7 Version: >= 7.4.5, < 8.0-milestone-1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49580",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:08:56.660431Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:09:04.665Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.1.0-rc-1"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.2, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.4.5, \u003c 8.0-milestone-1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266: Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T15:45:58.451Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22836",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22836"
        }
      ],
      "source": {
        "advisory": "GHSA-jm43-hrq7-r7w6",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki allows privilege escalation through link refactoring"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49580",
    "datePublished": "2025-06-13T15:45:58.451Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-13T18:09:04.665Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49584 (GCVE-0-2025-49584)

Vulnerability from cvelistv5

Published

2025-06-13 17:21

Modified

2025-06-13 18:20

Severity ?

8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE

CWE-201 - Insertion of Sensitive Information Into Sent Data

Summary

XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22736	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 10.9, < 16.4.7 Version: >= 16.5.0-rc-1, < 16.10.3 Version: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49584",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:19:47.734822Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:20:04.000Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.9, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn\u0027t affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-201",
              "description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:21:33.575Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22736",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22736"
        }
      ],
      "source": {
        "advisory": "GHSA-mvp5-qx9c-c3fv",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki makes title of inaccessible pages available through the class property values REST API"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49584",
    "datePublished": "2025-06-13T17:21:33.575Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:20:04.000Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49582 (GCVE-0-2025-49582)

Vulnerability from cvelistv5

Published

2025-06-13 16:41

Modified

2025-06-13 17:34

Severity ?

8.6 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-357 - Insufficient UI Warning of Dangerous Operations

Summary

XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd	x_refsource_MISC
	https://github.com/xwiki/xwiki-platform/commit/3d451e957fe2b14459e9ac64172b4a0e4c46971c	x_refsource_MISC
	https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8	x_refsource_MISC
	https://github.com/xwiki/xwiki-platform/commit/cc74dc802efe0e2d3fa2ba3355dbadc51c5fd8c7	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22758	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22759	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22763	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22799	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 15.9-rc-1, < 16.4.7 Version: >= 16.5.0-rc-1, < 16.10.3 Version: >= 17.0.0-rc-1, < 17.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49582",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T17:22:59.033297Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T17:23:46.285Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.9-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 17.0.0-rc-1, \u003c 17.0.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is a generic wiki platform. When editing content that contains \"dangerous\" macros like malicious script macros that were authored by a user with fewer rights, XWiki warns about the execution of these macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete, allowing an attacker to hide malicious content. For most macros, the existing analyzers don\u0027t consider non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of information boxes weren\u0027t analyzed at all. Similarly, the \"source\" parameters of the content and context macro weren\u0027t anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then executed after another user with programming righs edits the page, thus allowing remote code execution. The required rights analyzers have been made more robust and extended to cover those cases in XWiki 16.4.7, 16.10.3 and 17.0.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:34:44.816Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/0a705e8e253cb871b804e25c53b2bde879c886bd"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/3d451e957fe2b14459e9ac64172b4a0e4c46971c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/3d451e957fe2b14459e9ac64172b4a0e4c46971c"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/abdcefc0db27035b67329add836fd683e0cf92b8"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/cc74dc802efe0e2d3fa2ba3355dbadc51c5fd8c7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/cc74dc802efe0e2d3fa2ba3355dbadc51c5fd8c7"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22758",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22758"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22759",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22759"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22763",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22763"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22799",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22799"
        }
      ],
      "source": {
        "advisory": "GHSA-c32m-27pj-4xcj",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki\u0027s required right warnings for macros are incomplete"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49582",
    "datePublished": "2025-06-13T16:41:45.131Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-13T17:34:44.816Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-49587 (GCVE-0-2025-49587)

Vulnerability from cvelistv5

Published

2025-06-13 17:51

Modified

2025-06-13 18:05

Severity ?

6.4 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

CWE

CWE-357 - Insufficient UI Warning of Dangerous Operations

Summary

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

References

►

URL

Tags

	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7	x_refsource_CONFIRM
	https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d	x_refsource_MISC
	https://jira.xwiki.org/browse/XWIKI-22470	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 15.9-rc-1, < 15.10.16 Version: >= 16.0.0-rc-1, < 16.4.7 Version: >= 16.5.0-rc-1, < 16.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49587",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T18:05:10.530833Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T18:05:28.952Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 15.9-rc-1, \u003c 15.10.16"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0-rc-1, \u003c 16.4.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0-rc-1, \u003c 16.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-357",
              "description": "CWE-357: Insufficient UI Warning of Dangerous Operations",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-13T17:51:48.163Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-22470",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-22470"
        }
      ],
      "source": {
        "advisory": "GHSA-j7p2-87q3-44w7",
        "discovery": "UNKNOWN"
      },
      "title": "XWiki does not require right warnings for notification displayer objects"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49587",
    "datePublished": "2025-06-13T17:51:48.163Z",
    "dateReserved": "2025-06-06T15:44:21.556Z",
    "dateUpdated": "2025-06-13T18:05:28.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

wid-sec-w-2025-1324

Vulnerability from csaf_certbund

CVE-2025-49581 (GCVE-0-2025-49581)

Vulnerability from cvelistv5

CVE-2025-49585 (GCVE-0-2025-49585)

Vulnerability from cvelistv5

CVE-2025-49586 (GCVE-0-2025-49586)

Vulnerability from cvelistv5

CVE-2025-49583 (GCVE-0-2025-49583)

Vulnerability from cvelistv5

CVE-2025-49580 (GCVE-0-2025-49580)

Vulnerability from cvelistv5

CVE-2025-49584 (GCVE-0-2025-49584)

Vulnerability from cvelistv5

CVE-2025-49582 (GCVE-0-2025-49582)

Vulnerability from cvelistv5

CVE-2025-49587 (GCVE-0-2025-49587)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature