CVE-2025-46558

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46558
XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that this code is executed by a user with admins or programming rights, this issue compromises the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in version 8.9.

9.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/xwiki-contrib/syntax-markdown/commit/d136472d6e8a47981a0ede420a9096f88ffa5035
https://github.com/xwiki-contrib/syntax-markdown/security/advisories/GHSA-8g2j-rhfh-hq3r
https://jira.xwiki.org/browse/MARKDOWN-80
Configurations

No configuration.

History

02 May 2025, 13:53

Type Values Removed Values Added
Summary
  • (es) XWiki Contrib's Syntax Markdown permite importar contenido Markdown a páginas wiki y crear contenido wiki en Markdown. En versiones desde la 8.2 hasta anteriores a la 8.9, la sintaxis Markdown es vulnerable a ataques de cross-site scripting (XSS) a través de HTML. En particular, al usar la sintaxis Markdown, cualquier usuario puede incrustar código Javascript que se ejecutará en el navegador de cualquier otro usuario que visite el documento o el comentario que lo contiene. Si este código lo ejecuta un usuario con permisos de administrador o programación, este problema compromete la confidencialidad, integridad y disponibilidad de toda la instalación de XWiki. Este problema se ha corregido en la versión 8.9.

30 Apr 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-30 19:15

Updated : 2025-05-02 13:53

NVD link : CVE-2025-46558

Mitre link : CVE-2025-46558

CVE.ORG link : CVE-2025-46558

JSON object : View

Products Affected

No product.

CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')