CVE-2025-49585

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-49585
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49585.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-49585
Aliases
Published
2025-06-13T17:33:34.357Z
Modified
2026-04-10T05:28:59.970421Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N CVSS Calculator
Summary
XWiki does not require right warnings for XClass definitions
Details

XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1 through 16.10.1, when an attacker without script or programming right creates an XClass definition in XWiki (requires edit right), and that same document is later edited by a user with script, admin, or programming right, malicious code could be executed with the rights of the editing user without prior warning. In particular, this concerns custom display code, the script of computed properties and queries in database list properties. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49585.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-357"
    ]
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
110b60483db6e4ba9b1edfc0747a94a81d5296cf
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "15.10.16"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
6f103dbca9c98cf3b53bfadb83d982facb198d56
Fixed
f5a9a0762750936523187286919ec4c1892d6fea
Database specific 
{
    "versions": [
        {
            "introduced": "16.0.0-rc-1"
        },
        {
            "fixed": "16.4.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ed06c998964cae931ccfe7005a67eeaedaf60e58
Fixed
105d934fe5a2f9a74958fef57cede8436c5cb63c
Database specific 
{
    "versions": [
        {
            "introduced": "16.5.0-rc-1"
        },
        {
            "fixed": "16.10.2"
        }
    ]
}

Affected versions

xwiki-platform-15.*
xwiki-platform-15.10
xwiki-platform-15.10-rc-1
xwiki-platform-15.10.1
xwiki-platform-15.10.10
xwiki-platform-15.10.11
xwiki-platform-15.10.12
xwiki-platform-15.10.13
xwiki-platform-15.10.14
xwiki-platform-15.10.15
xwiki-platform-15.10.2
xwiki-platform-15.10.3
xwiki-platform-15.10.4
xwiki-platform-15.10.5
xwiki-platform-15.10.6
xwiki-platform-15.10.7
xwiki-platform-15.10.8
xwiki-platform-15.10.9
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49585.json"