CVE-2025-49587

MEDIUM EPSS 27.1%
Published Jun 13, 20251y ago · Modified Jun 17, 20262w ago
6.4 CVSS 4.0
Medium
Find Similar
Published Jun 13, 2025 1y ago
Last Modified Jun 17, 2026 2w ago

Description

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

CVSS Details

Base Score
6.4
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
27.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-357

Affected Products 3

VendorProductVersionRange
xwikixwiki*≥15.9  –  <15.10.16
xwikixwiki*≥16.0.0  –  <16.4.7
xwikixwiki*≥16.5.0  –  <16.10.2

References 3

  • github.com https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d
    Patch
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7
    Vendor Advisory
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-22470
    ExploitIssue TrackingVendor Advisory

Remediation

  • github.com https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d
    Patch