CVE-2025-49583

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49583
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49583.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49583
Aliases
Published
2025-06-13T17:04:49.975Z
Modified
2026-04-10T05:29:00.139749Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N CVSS Calculator
Summary
XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right
Details

XWiki is a generic wiki platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationEmailRendererClass object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49583.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-270",
        "CWE-357"
    ]
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
110b60483db6e4ba9b1edfc0747a94a81d5296cf
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "15.10.16"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
6f103dbca9c98cf3b53bfadb83d982facb198d56
Fixed
f5a9a0762750936523187286919ec4c1892d6fea
Database specific 
{
    "versions": [
        {
            "introduced": "16.0.0-rc-1"
        },
        {
            "fixed": "16.4.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ed06c998964cae931ccfe7005a67eeaedaf60e58
Fixed
105d934fe5a2f9a74958fef57cede8436c5cb63c
Database specific 
{
    "versions": [
        {
            "introduced": "16.5.0-rc-1"
        },
        {
            "fixed": "16.10.2"
        }
    ]
}

Affected versions

xwiki-platform-15.*
xwiki-platform-15.10
xwiki-platform-15.10-rc-1
xwiki-platform-15.10.1
xwiki-platform-15.10.10
xwiki-platform-15.10.11
xwiki-platform-15.10.12
xwiki-platform-15.10.13
xwiki-platform-15.10.14
xwiki-platform-15.10.15
xwiki-platform-15.10.2
xwiki-platform-15.10.3
xwiki-platform-15.10.4
xwiki-platform-15.10.5
xwiki-platform-15.10.6
xwiki-platform-15.10.7
xwiki-platform-15.10.8
xwiki-platform-15.10.9
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49583.json"