CVE-2025-53836

Exploit

EPSS 0.53%
Veröffentlicht 14.07.2025 23:08:34
Zuletzt bearbeitet 26.08.2025 17:52:16
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

XWiki Rendering is vulnerable to RCE attacks when processing nested macros

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

NVD 7 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 4.3 < 13.10.11

Xwiki ≫ Xwiki Version >= 14.0 < 14.4.7

Xwiki ≫ Xwiki Version >= 14.5 < 14.10

Xwiki ≫ Xwiki Version4.2 Updatemilestone1

Xwiki ≫ Xwiki Version4.2 Updatemilestone2

Xwiki ≫ Xwiki Version4.2 Updatemilestone3

Xwiki ≫ Xwiki Version4.2 Updaterc1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.53%	0.403

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9

Third Party Advisory

https://github.com/xwiki/xwiki-rendering/commit/c73fa3ccd4ac59057e48e5d4325f659e78e8f86d

Patch

https://jira.xwiki.org/browse/XRENDERING-689

Exploit

Issue Tracking

https://jira.xwiki.org/browse/XWIKI-20375

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-53836

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-53836

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-53836

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-53836