Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-49587
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-13 Jun, 2025 | 18:15
Updated At-03 Sep, 2025 | 17:44

XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.4MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.18.0HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Type: Secondary
Version: 4.0
Base score: 6.4
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 8.0
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CPE Matches
XWiki SAS
xwiki
>>xwiki>>Versions from 15.9(inclusive) to 15.10.16(exclusive)
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
XWiki SAS
xwiki
>>xwiki>>Versions from 16.0.0(inclusive) to 16.4.7(exclusive)
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
XWiki SAS
xwiki
>>xwiki>>Versions from 16.5.0(inclusive) to 16.10.2(exclusive)
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-357Primarysecurity-advisories@github.com
CWE ID: CWE-357
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252dsecurity-advisories@github.com
Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7security-advisories@github.com
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22470security-advisories@github.com
Exploit
Issue Tracking
Vendor Advisory
Hyperlink: https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7
Source: security-advisories@github.com
Resource:
Vendor Advisory
Hyperlink: https://jira.xwiki.org/browse/XWIKI-22470
Source: security-advisories@github.com
Resource:
Exploit
Issue Tracking
Vendor Advisory
Change History
0Changes found
Details not found