Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-49585

Good to know:

icon

Date: June 13, 2025

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

Severity Score

Related Resources (6)

https://jira.xwiki.org/browse/XWIKI-22476
https://github.com/xwiki/xwiki-platform/commit/385bde985cdb61ebf315d30c0b144b6d2e2c2d45
https://github.com/xwiki/xwiki-platform
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-59w6-r9hm-439h
https://nvd.nist.gov/vuln/detail/CVE-2025-49585
https://www.mend.io/vulnerability-database/CVE-2025-49585

Severity Score

Weakness Type (CWE)

Insufficient UI Warning of Dangerous Operations

CWE-357

Top Fix

icon

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-security-requiredrights-default:15.10.16;org.xwiki.platform:xwiki-platform-security-requiredrights-default:16.4.7;org.xwiki.platform:xwiki-platform-security-requiredrights-default:16.10.2;org.xwiki.platform:xwiki-platform-security-requiredrights-default:15.10.16;org.xwiki.platform:xwiki-platform-security-requiredrights-default:16.4.7;org.xwiki.platform:xwiki-platform-security-requiredrights-default:16.10.2;https://github.com/xwiki/xwiki-platform.git - xwiki-platform-15.10.16;https://github.com/xwiki/xwiki-platform.git - xwiki-platform-16.4.7;https://github.com/xwiki/xwiki-platform.git - xwiki-platform-16.10.2

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us