CVE-2025-53835
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-14

Last updated on: 2025-08-26

Assigner: GitHub, Inc.

Description
XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-14
Last Modified
2025-08-26
Generated
2026-05-07
AI Q&A
2025-07-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53835
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xwiki xwiki From 5.4.5 (inc) to 14.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in XWiki Rendering versions from 5.4.5 up to but not including 14.10. The XHTML syntax depended on the `xdom+xml/current` syntax, which allows insertion of arbitrary HTML content including JavaScript via raw blocks. This enables cross-site scripting (XSS) attacks for users who can edit documents such as their user profile. The vulnerability was fixed in version 14.10 by removing this dependency. However, the `xdom+xml` syntax remains vulnerable but is intended only for testing and is not commonly used.


How can this vulnerability impact me? :

This vulnerability can lead to cross-site scripting (XSS) attacks, allowing attackers to execute arbitrary JavaScript in the context of the affected application. This can result in compromise of user accounts, theft of sensitive information, session hijacking, and potentially full system compromise depending on the privileges of the affected user. Since the vulnerability affects users who can edit documents like their user profile, it can be exploited by authenticated users with limited privileges to escalate their impact.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade XWiki Rendering to version 14.10 or later, as this version removes the vulnerable dependency on the `xdom+xml/current` syntax from the XHTML syntax. There are no known workarounds apart from upgrading.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart