CVE-2025-49587

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-49587
XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.
CVSS

No CVSS.

References
Link Resource
https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7
https://jira.xwiki.org/browse/XWIKI-22470
Configurations

No configuration.

History

16 Jun 2025, 12:32

Type Values Removed Values Added
Summary
  • (es) XWiki es una plataforma de software wiki de código abierto. Cuando un usuario sin permisos de script crea un documento con un objeto XWiki.Notifications.Code.NotificationDisplayerClass y posteriormente un administrador lo edita y lo guarda, el contenido posiblemente malicioso de dicho objeto se muestra como HTML sin formato, lo que permite ataques XSS. Mientras el visualizador de notificaciones ejecuta Velocity, el analizador genérico existente ya advierte a los administradores antes de editar el código de Velocity. Tenga en cuenta que las advertencias antes de editar documentos con propiedades peligrosas solo se introdujeron en XWiki 15.9; antes de esa versión, este era un problema conocido y la recomendación era simplemente tener cuidado. Esta vulnerabilidad se ha corregido en XWiki 15.10.16, 16.4.7 y 16.10.2 añadiendo un analizador de permisos requerido que advierte al administrador sobre el posible código malicioso antes de editar.

13 Jun 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-13 18:15

Updated : 2025-06-16 12:32

NVD link : CVE-2025-49587

Mitre link : CVE-2025-49587

CVE.ORG link : CVE-2025-49587

JSON object : View

Products Affected

No product.

CWE
CWE-357

Insufficient UI Warning of Dangerous Operations