8.5

CVE-2025-49580

Exploit

XWiki allows privilege escalation through link refactoring

XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
XwikiXwiki Version >= 7.4.5 < 16.4.7
XwikiXwiki Version >= 16.5.0 < 16.10.4
XwikiXwiki Version >= 17.0.0 < 17.1.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.37% 0.285
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8 2.1 5.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
security-advisories@github.com 8.5 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6
Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cec
Patch
https://jira.xwiki.org/browse/XWIKI-22836
Vendor Advisory
Exploit
Issue Tracking