cve-2025-48063
Vulnerability from cvelistv5
Published
2025-05-21 17:38
Modified
2025-05-21 18:28
Severity ?
EPSS score ?
Summary
XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| xwiki | xwiki-platform |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48063",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-21T18:20:23.648637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T18:28:01.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22859"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 16.10.0-rc-1, \u003c 16.10.4"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.1.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn\u0027t have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they\u0027re not giving a right to a script or object that it didn\u0027t have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-21T17:38:37.096Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22859",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22859"
}
],
"source": {
"advisory": "GHSA-rhfv-688c-p6hp",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48063",
"datePublished": "2025-05-21T17:38:37.096Z",
"dateReserved": "2025-05-15T16:06:40.941Z",
"dateUpdated": "2025-05-21T18:28:01.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-48063\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-21T18:15:53.200\",\"lastModified\":\"2025-05-21T20:24:58.133\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn\u0027t have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they\u0027re not giving a right to a script or object that it didn\u0027t have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.\"},{\"lang\":\"es\",\"value\":\"XWiki es una plataforma wiki gen\u00e9rica. En XWiki 16.10.0, se introdujeron los permisos obligatorios para limitar los permisos que puede tener un documento. Parte del modelo de seguridad de los permisos obligatorios consiste en que un usuario sin permisos tampoco puede definirlos como obligatorios. De esta forma, los usuarios que editan documentos con permisos obligatorios pueden estar seguros de no otorgar permisos a un script u objeto que no pose\u00edan previamente. Un error en la implementaci\u00f3n de esta regla permiti\u00f3 que cualquier usuario con permisos de edici\u00f3n en un documento pudiera establecer permisos de programaci\u00f3n como obligatorios. Si un usuario con permisos de programaci\u00f3n editaba ese documento, el contenido obten\u00eda permisos de programaci\u00f3n, lo que permit\u00eda la ejecuci\u00f3n remota de c\u00f3digo. Esto anula la mayor\u00eda de las ventajas de seguridad de los permisos obligatorios. Dado que XWiki sigue realizando el an\u00e1lisis de permisos obligatorios cuando un usuario edita una p\u00e1gina, incluso con los permisos obligatorios, el usuario con permisos de programaci\u00f3n recibir\u00eda una advertencia sobre el contenido peligroso a menos que el atacante lograra eludir esta comprobaci\u00f3n. Tenga en cuenta tambi\u00e9n que ninguna de las versiones afectadas incluye una interfaz de usuario que permita aplicar los derechos requeridos, por lo que parece improbable que alguien confiara en ella para la seguridad en las versiones afectadas. Dado que esta vulnerabilidad no ofrece ninguna superficie de ataque adicional a menos que todos los documentos de la wiki apliquen los derechos requeridos, consideramos que el impacto de este ataque es bajo, aunque obtener los derechos de programaci\u00f3n podr\u00eda tener un impacto alto. Esta vulnerabilidad ha sido corregida en XWiki 16.10.4 y 17.1.0RC1. No existen soluciones alternativas conocidas, salvo la actualizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-22859\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-22859\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.