CVE-2025-49587

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22470	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

History

03 Sep 2025, 17:44

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.0
First Time		Xwiki Xwiki xwiki
References	~~() https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d -~~	() https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7 -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7 - Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-22470 -~~	() https://jira.xwiki.org/browse/XWIKI-22470 - Exploit, Issue Tracking, Vendor Advisory
CPE		cpe:2.3:a:xwiki:xwiki::::::::

16 Jun 2025, 12:32

Type	Values Removed	Values Added
Summary		(es) XWiki es una plataforma de software wiki de código abierto. Cuando un usuario sin permisos de script crea un documento con un objeto XWiki.Notifications.Code.NotificationDisplayerClass y posteriormente un administrador lo edita y lo guarda, el contenido posiblemente malicioso de dicho objeto se muestra como HTML sin formato, lo que permite ataques XSS. Mientras el visualizador de notificaciones ejecuta Velocity, el analizador genérico existente ya advierte a los administradores antes de editar el código de Velocity. Tenga en cuenta que las advertencias antes de editar documentos con propiedades peligrosas solo se introdujeron en XWiki 15.9; antes de esa versión, este era un problema conocido y la recomendación era simplemente tener cuidado. Esta vulnerabilidad se ha corregido en XWiki 15.10.16, 16.4.7 y 16.10.2 añadiendo un analizador de permisos requerido que advierte al administrador sobre el posible código malicioso antes de editar.

13 Jun 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-13 18:15

Updated : 2025-09-03 17:44

NVD link : CVE-2025-49587

Mitre link : CVE-2025-49587

CVE.ORG link : CVE-2025-49587

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-357

Insufficient UI Warning of Dangerous Operations

8.0 /10