CVE-2025-49585
June 13, 2025
XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.
Affected Packages
https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-3.0.1 <xwiki-platform-15.10.16Fix Suggestion:
Update to version xwiki-platform-15.10.16https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-16.0.0 <xwiki-platform-16.4.7Fix Suggestion:
Update to version xwiki-platform-16.4.7https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-16.5.0 <xwiki-platform-16.10.2Fix Suggestion:
Update to version xwiki-platform-16.10.2org.xwiki.platform:xwiki-platform-security-requiredrights-default (NEXUS):
Affected version(s) >=15.9-rc-1 <15.10.16Fix Suggestion:
Update to version 15.10.16org.xwiki.platform:xwiki-platform-security-requiredrights-default (NEXUS):
Affected version(s) >=16.0.0 <16.4.7Fix Suggestion:
Update to version 16.4.7org.xwiki.platform:xwiki-platform-security-requiredrights-default (NEXUS):
Affected version(s) >=16.5.0 <16.10.2Fix Suggestion:
Update to version 16.10.2Related ResourcesĀ (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.6
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
LOW
Subsequent System Integrity
LOW
Subsequent System Availability
NONE
CVSS v3
Base Score:
9
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Insufficient UI Warning of Dangerous Operations
EPSS
Base Score:
0.25
