CVE-2025-49583
BaseFortify
Publication date: 2025-06-13
Last updated on: 2025-09-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | to 15.10.16 (exc) |
| xwiki | xwiki | From 16.0.0 (inc) to 16.4.7 (exc) |
| xwiki | xwiki | From 16.5.0 (inc) to 16.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-357 | The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. |
| CWE-270 | The product does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki occurs when a user without script rights creates a document containing an object of the class XWiki.Notifications.Code.NotificationEmailRendererClass. Later, if an administrator edits and saves this document, the email templates in this object are used for notifications. Although these templates allow Velocity scripting code, no malicious code execution is possible because the platform warns administrators before editing such code. The main issue is that attackers could exploit this to send spam or phishing emails or hide notifications about other attacks. This was a known issue before XWiki version 15.9 and has been patched in later versions by adding specific analysis to require admin rights for modifying these objects. [2, 1]
How can this vulnerability impact me? :
The vulnerability can be exploited to send spam or phishing emails to other users or to conceal notifications about other attacks within the XWiki platform. While it does not allow execution of malicious code, it can be used to deceive users through notification emails. There is no impact on confidentiality or availability, but there is a low impact on integrity. No effective workarounds exist other than being cautious when editing documents created by untrusted users. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying documents containing objects of the class XWiki.Notifications.Code.NotificationEmailRendererClass created by users without script rights, especially if these documents have been edited and saved by administrators. Since the vulnerability involves email templates used for notifications, monitoring for unusual or unexpected notification emails, such as spam or phishing attempts, can also help detect exploitation. There are no specific commands provided in the resources to detect this vulnerability on your system or network. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading XWiki to a patched version: 15.10.16, 16.4.7, or 16.10.2, where the vulnerability has been fixed by adding specific analysis for the relevant XClass properties. Additionally, exercise caution when editing documents that may contain objects created by untrusted users without script rights, especially those involving email notification templates. Ensure that only users with wiki administration rights can configure or modify email notification renderer objects, as enforced by the new required rights analyzer introduced in the patch. [1, 2]