CVE-2025-48063

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp	Patch Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22859	Patch Vendor Advisory Exploit
https://jira.xwiki.org/browse/XWIKI-22859	Patch Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki:17.0.0:-::::::
	cpe:2.3:a:xwiki:xwiki:17.0.0:rc1::::::

History

20 Jun 2025, 17:38

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~() https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898 -~~	() https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898 - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp - Patch, Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-22859 -~~	() https://jira.xwiki.org/browse/XWIKI-22859 - Patch, Vendor Advisory, Exploit
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
Summary		(es) XWiki es una plataforma wiki genérica. En XWiki 16.10.0, se introdujeron los permisos obligatorios para limitar los permisos que puede tener un documento. Parte del modelo de seguridad de los permisos obligatorios consiste en que un usuario sin permisos tampoco puede definirlos como obligatorios. De esta forma, los usuarios que editan documentos con permisos obligatorios pueden estar seguros de no otorgar permisos a un script u objeto que no poseían previamente. Un error en la implementación de esta regla permitió que cualquier usuario con permisos de edición en un documento pudiera establecer permisos de programación como obligatorios. Si un usuario con permisos de programación editaba ese documento, el contenido obtenía permisos de programación, lo que permitía la ejecución remota de código. Esto anula la mayoría de las ventajas de seguridad de los permisos obligatorios. Dado que XWiki sigue realizando el análisis de permisos obligatorios cuando un usuario edita una página, incluso con los permisos obligatorios, el usuario con permisos de programación recibiría una advertencia sobre el contenido peligroso a menos que el atacante lograra eludir esta comprobación. Tenga en cuenta también que ninguna de las versiones afectadas incluye una interfaz de usuario que permita aplicar los derechos requeridos, por lo que parece improbable que alguien confiara en ella para la seguridad en las versiones afectadas. Dado que esta vulnerabilidad no ofrece ninguna superficie de ataque adicional a menos que todos los documentos de la wiki apliquen los derechos requeridos, consideramos que el impacto de este ataque es bajo, aunque obtener los derechos de programación podría tener un impacto alto. Esta vulnerabilidad ha sido corregida en XWiki 16.10.4 y 17.1.0RC1. No existen soluciones alternativas conocidas, salvo la actualización.
CPE		cpe:2.3:a:xwiki:xwiki:17.0.0:-:::::: cpe:2.3:a:xwiki:xwiki:17.0.0:rc1:::::: cpe:2.3:a:xwiki:xwiki::::::::
First Time		Xwiki xwiki Xwiki

21 May 2025, 19:16

Type	Values Removed	Values Added
References	~~() https://jira.xwiki.org/browse/XWIKI-22859 -~~	() https://jira.xwiki.org/browse/XWIKI-22859 -

21 May 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-21 18:15

Updated : 2025-06-20 17:38

NVD link : CVE-2025-48063

Mitre link : CVE-2025-48063

CVE.ORG link : CVE-2025-48063

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-285

Improper Authorization

NVD-CWE-noinfo

8.8 /10