CVE-2025-49586

Published: Jun 13, 2025Modified: Sep 3, 2025

8.7

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security-advisories@github.com (Secondary)

Description

XWiki is an open-source wiki software platform. Any XWiki user with edit right on at least one App Within Minutes application (the default for all users XWiki) can obtain programming right/perform remote code execution by editing the application. This vulnerability has been fixed in XWiki 17.0.0, 16.4.7, and 16.10.3.

Affected (5)

Products: Xwiki: Xwiki

Xwiki

1 product

Xwiki

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	From 16.5.0 to 16.10.3
Xwiki Xwiki	From 7.3 to 16.4.7
Xwiki Xwiki	Version 17.0.0 rc1
Xwiki Xwiki	Version 7.2 milestone2
Xwiki Xwiki	Version 7.2 milestone3

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://github.com/xwiki/xwiki-platform/commit/ef978315649cf83eae396021bb33603a1a5f7e42

Source: security-advisories@github.com

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp4x-w9cj-97q7

Source: security-advisories@github.com

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-22719

Source: security-advisories@github.com

ExploitIssue TrackingVendor Advisory

Timeline

No history available yet.