ghsa-jm43-hrq7-r7w6
Vulnerability from github
Published
2025-06-13 20:24
Modified
2025-06-13 20:24
Severity ?
8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
XWiki allows privilege escalation through link refactoring
Details

Impact

Pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability affects all version of XWiki since 8.2 and 7.4.5.

Patches

The patch consists in only setting the originalMetadataAuthor when performing such change, so that it's displayed in the history but it has no impact on the right evaluation (i.e. the original author of the changes is still used for right computation).

This patch has been applied on XWiki 16.4.7, 17.1.0RC1, 16.10.4.

Workarounds

There's no workaround for this vulnerability, except preventing to perform any refactoring operation with users having more than edit rights. Administrators are strongly advised to upgrade. If not possible, the patch only impacts module xwiki-platform-refactoring-default so it's possible to apply the commit and rebuild and deploy only that module.

CVSS explanation

Attack vector: Network - Always for XWiki. Complexity: Low - The set of operations to perform the attack is quite easy. Attack requirements: None - Any system is vulnerable, it doesn't depend on specific condition other than user interaction. Privileges required: Low - The attacker only needs edit rights. User interaction: Active - To be successful the attack needs someone with more rights to perform a move/rename of a specific page. Confidentiality: High - The attack might lead to execution of any script. Integrity: High - The attack might lead to execution of any script. Availability: High - The attack might lead to execution of any script. Subsequent system impacts: None for any criteria. Only current system is affected.

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.1.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.10.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.2"
            },
            {
              "fixed": "16.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 8.0-milestone-1"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-refactoring-default"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49580"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-13T20:24:24Z",
    "nvd_published_at": "2025-06-13T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nPages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. \nThis vulnerability affects all version of XWiki since 8.2 and 7.4.5.\n\n### Patches\n\nThe patch consists in only setting the `originalMetadataAuthor` when performing such change, so that it\u0027s displayed in the history but it has no impact on the right evaluation (i.e. the original author of the changes is still used for right computation). \n\nThis patch has been applied on XWiki 16.4.7, 17.1.0RC1, 16.10.4.\n\n### Workarounds\n\nThere\u0027s no workaround for this vulnerability, except preventing to perform any refactoring operation with users having more than edit rights. \nAdministrators are strongly advised to upgrade. If not possible, the patch only impacts module `xwiki-platform-refactoring-default` so it\u0027s possible to apply the commit and rebuild and deploy only that module.\n\n### CVSS explanation\n\nAttack vector: Network - Always for XWiki.\nComplexity: Low - The set of operations to perform the attack is quite easy.\nAttack requirements: None - Any system is vulnerable, it doesn\u0027t depend on specific condition other than user interaction.\nPrivileges required: Low - The attacker only needs edit rights.\nUser interaction: Active - To be successful the attack needs someone with more rights to perform a move/rename of a specific page.\nConfidentiality: High - The attack might lead to execution of any script.\nIntegrity: High - The attack might lead to execution of any script.\nAvailability: High - The attack might lead to execution of any script.\nSubsequent system impacts: None for any criteria. Only current system is affected.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-jm43-hrq7-r7w6",
  "modified": "2025-06-13T20:24:24Z",
  "published": "2025-06-13T20:24:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49580"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22836"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki allows privilege escalation through link refactoring"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.