CVE-2025-49583

Exploit

EPSS 0.22%
Veröffentlicht 13.06.2025 17:15:23
Zuletzt bearbeitet 03.09.2025 17:50:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right

XWiki is a generic wiki platform. When a user without script right creates a document with an `XWiki.Notifications.Code.NotificationEmailRendererClass` object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version < 15.10.16

Xwiki ≫ Xwiki Version >= 16.0.0 < 16.4.7

Xwiki ≫ Xwiki Version >= 16.5.0 < 16.10.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.127

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
security-advisories@github.com	5.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-270 Privilege Context Switching Error

The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.

CWE-357 Insufficient UI Warning of Dangerous Operations

The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.

https://github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97w

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-22471

Vendor Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-49583

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49583

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49583

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-49583