CVE-2025-49580

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.

CVSS

No CVSS.

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6
https://jira.xwiki.org/browse/XWIKI-22836

Configurations

No configuration.

History

16 Jun 2025, 12:32

Type	Values Removed	Values Added
Summary		(es) XWiki es una plataforma wiki genérica. Desde las versiones 8.2 y 7.4.5 hasta las versiones 17.1.0-rc-1, 16.10.4 y 16.4.7, las páginas pueden obtener permisos de script o programación cuando contienen un enlace y el destino del enlace se renombra o se mueve. Esto podría provocar la ejecución de scripts contenidos en xobjects que nunca deberían haberse ejecutado. Esta vulnerabilidad está corregida en las versiones 17.1.0-rc-1, 16.10.4 y 16.4.7.

13 Jun 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-13 16:15

Updated : 2025-06-16 12:32

NVD link : CVE-2025-49580

Mitre link : CVE-2025-49580

CVE.ORG link : CVE-2025-49580

JSON object : View

Products Affected

No product.

CWE

CWE-266

Incorrect Privilege Assignment

{"id": "CVE-2025-49580", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-13T16:15:27.417", "references": [{"url": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec", "source": "security-advisories@github.com"}, {"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6", "source": "security-advisories@github.com"}, {"url": "https://jira.xwiki.org/browse/XWIKI-22836", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-266"}]}], "descriptions": [{"lang": "en", "value": "XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7."}, {"lang": "es", "value": "XWiki es una plataforma wiki gen\u00e9rica. Desde las versiones 8.2 y 7.4.5 hasta las versiones 17.1.0-rc-1, 16.10.4 y 16.4.7, las p\u00e1ginas pueden obtener permisos de script o programaci\u00f3n cuando contienen un enlace y el destino del enlace se renombra o se mueve. Esto podr\u00eda provocar la ejecuci\u00f3n de scripts contenidos en xobjects que nunca deber\u00edan haberse ejecutado. Esta vulnerabilidad est\u00e1 corregida en las versiones 17.1.0-rc-1, 16.10.4 y 16.4.7."}], "lastModified": "2025-06-16T12:32:18.840", "sourceIdentifier": "security-advisories@github.com"}