← Back

CVE-2025-49580

nvd nist
Published: Jun 13, 2025Modified: Sep 3, 2025

JSON object

Loading...
8.5
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security-advisories@github.com (Secondary)

Description

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.

Affected (3)

Products: Xwiki: Xwiki
Xwiki
1 product
Xwiki
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Xwiki
Xwiki
From 16.5.0 to 16.10.4
Xwiki
From 17.0.0 to 17.1.0
Xwiki
From 7.4.5 to 16.4.7

Related CWEs

CWE-266
Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (3)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Vendor Advisory
Source: security-advisories@github.com
ExploitIssue TrackingVendor Advisory

Timeline

No history available yet.