CVE-2025-48063

MEDIUM EPSS 51.3%
Published May 21, 20251y ago · Modified Jun 17, 20262w ago
4.8 CVSS 4.0
Medium
Find Similar
Published May 21, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.

CVSS Details

Base Score
4.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
51.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-285

Affected Products 3

VendorProductVersionRange
xwikixwiki*≥16.10.0  –  <16.10.4
xwikixwiki17.0.0any
xwikixwiki17.0.0any

References 3

  • github.com https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898
    Patch
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp
    PatchVendor Advisory
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-22859
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898
    Patch
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp
    PatchVendor Advisory
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-22859
    ExploitPatchVendor Advisory