CVE-2025-49583

MEDIUM EPSS 12.8%
Published Jun 13, 20251y ago · Modified Jun 17, 20262w ago
5.1 CVSS 4.0
Medium
Find Similar
Published Jun 13, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

CVSS Details

Base Score
5.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
12.8% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-270
CWE-357

Affected Products 3

VendorProductVersionRange
xwikixwiki* <15.10.16
xwikixwiki*≥16.0.0  –  <16.4.7
xwikixwiki*≥16.5.0  –  <16.10.2

References 3

  • github.com https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92
    Patch
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w
    Vendor Advisory
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-22471
    ExploitIssue TrackingVendor Advisory

Remediation

  • github.com https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92
    Patch