{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49587", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-06T15:44:21.556Z", "datePublished": "2025-06-13T17:51:48.163Z", "dateUpdated": "2025-06-13T18:05:28.952Z"}, "containers": {"cna": {"title": "XWiki does not require right warnings for notification displayer objects", "problemTypes": [{"descriptions": [{"cweId": "CWE-357", "lang": "en", "description": "CWE-357: Insufficient UI Warning of Dangerous Operations", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d"}, {"name": "https://jira.xwiki.org/browse/XWIKI-22470", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-22470"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 15.9-rc-1, < 15.10.16", "status": "affected"}, {"version": ">= 16.0.0-rc-1, < 16.4.7", "status": "affected"}, {"version": ">= 16.5.0-rc-1, < 16.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-13T17:51:48.163Z"}, "descriptions": [{"lang": "en", "value": "XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code."}], "source": {"advisory": "GHSA-j7p2-87q3-44w7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T18:05:10.530833Z", "id": "CVE-2025-49587", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T18:05:28.952Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49587", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-13T18:05:10.530833Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T18:04:02.469Z"}}], "cna": {"title": "XWiki does not require right warnings for notification displayer objects", "source": {"advisory": "GHSA-j7p2-87q3-44w7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"status": "affected", "version": ">= 15.9-rc-1, < 15.10.16"}, {"status": "affected", "version": ">= 16.0.0-rc-1, < 16.4.7"}, {"status": "affected", "version": ">= 16.5.0-rc-1, < 16.10.2"}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7", "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d", "name": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d", "tags": ["x_refsource_MISC"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-22470", "name": "https://jira.xwiki.org/browse/XWIKI-22470", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-357", "description": "CWE-357: Insufficient UI Warning of Dangerous Operations"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-13T17:51:48.163Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49587", "state": "PUBLISHED", "dateUpdated": "2025-06-13T18:05:28.952Z", "dateReserved": "2025-06-06T15:44:21.556Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-13T17:51:48.163Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki is an open-source wiki software platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code."}, {"lang": "es", "value": "XWiki es una plataforma de software wiki de c\u00f3digo abierto. Cuando un usuario sin permisos de script crea un documento con un objeto XWiki.Notifications.Code.NotificationDisplayerClass y posteriormente un administrador lo edita y lo guarda, el contenido posiblemente malicioso de dicho objeto se muestra como HTML sin formato, lo que permite ataques XSS. Mientras el visualizador de notificaciones ejecuta Velocity, el analizador gen\u00e9rico existente ya advierte a los administradores antes de editar el c\u00f3digo de Velocity. Tenga en cuenta que las advertencias antes de editar documentos con propiedades peligrosas solo se introdujeron en XWiki 15.9; antes de esa versi\u00f3n, este era un problema conocido y la recomendaci\u00f3n era simplemente tener cuidado. Esta vulnerabilidad se ha corregido en XWiki 15.10.16, 16.4.7 y 16.10.2 a\u00f1adiendo un analizador de permisos requerido que advierte al administrador sobre el posible c\u00f3digo malicioso antes de editar."}], "id": "CVE-2025-49587", "lastModified": "2025-06-16T12:32:18.840", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-13T18:15:22.880", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/commit/55c5d568c4dc4619f37397d00d14dcdeab9c252d"}, {"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j7p2-87q3-44w7"}, {"source": "security-advisories@github.com", "url": "https://jira.xwiki.org/browse/XWIKI-22470"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-357"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}