CVE-2025-49585
BaseFortify
Publication date: 2025-06-13
Last updated on: 2025-09-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | to 15.10.16 (exc) |
| xwiki | xwiki | From 16.0.0 (inc) to 16.4.7 (exc) |
| xwiki | xwiki | From 16.5.0 (inc) to 16.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-357 | The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki allows an attacker with only edit rights (but without script or programming rights) to create a malicious XClass definition. If a user with higher privileges (script, admin, or programming rights) later edits the same document, the malicious code embedded in custom display code, computed property scripts, or database list property queries can execute with the elevated rights of that user without any warning. This can lead to unauthorized code execution and compromise system security. The issue was patched by adding an analysis mechanism for XClass properties to detect and prevent such malicious code execution. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of malicious code with elevated privileges, potentially compromising the confidentiality, integrity, and availability of the system. An attacker can exploit this by creating malicious XClass definitions that execute when edited by privileged users, leading to privilege escalation and possible system compromise. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves analyzing XClass definitions in XWiki documents for potentially unsafe custom display code, computed property scripts, or database list property queries that could execute malicious code. The patch introduced a required rights analyzer framework that performs static analysis on these properties to identify if elevated rights are needed. While no specific network or system commands are provided, detection would require reviewing XWiki documents edited by users with script, admin, or programming rights, especially those previously edited by users with only edit rights. Using the security analysis tools or logs within XWiki that implement the required rights analyzer framework (introduced in the patch) can help detect unsafe XClass properties. There are no direct command-line commands mentioned for detection. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading XWiki to a patched version: 15.10.16, 16.4.7, or 16.10.2 or later, where the vulnerability is fixed by adding analysis for XClass properties to prevent malicious code execution. Until upgrading, exercise caution by restricting edit rights to trusted users only, especially preventing users without script or programming rights from creating or editing XClass definitions. Additionally, users with script, admin, or programming rights should be cautious when editing documents previously modified by less privileged users, as no effective workarounds exist other than careful review and limiting privileges. [1]