CVE-2025-49580
8.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| xwiki | xwiki-platform | >= 17.0.0-rc-1, < 17.1.0-rc-1 | affected |
| xwiki | xwiki-platform | >= 16.5.0-rc-1, < 16.10.4 | affected |
| xwiki | xwiki-platform | >= 8.2, < 16.4.7 | affected |
| xwiki | xwiki-platform | >= 7.4.5, < 8.0-milestone-1 | affected |
Weaknesses
- CWE-266: CWE-266: Incorrect Privilege Assignment
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6
- https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec
- https://jira.xwiki.org/browse/XWIKI-22836
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.