GHSA-7vpr-jm38-wr7w

Source

https://github.com/advisories/GHSA-7vpr-jm38-wr7w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-7vpr-jm38-wr7w/GHSA-7vpr-jm38-wr7w.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7vpr-jm38-wr7w

Aliases

CVE-2025-66472

Published

2025-12-10T15:46:48Z

Modified

2025-12-11T16:21:31.920475Z

Severity

6.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H CVSS Calculator

Summary

XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

Details

Impact

A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution.

Patches

This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context.

Workarounds

The patch can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "nvd_published_at": "2025-12-10T22:16:27Z",
    "github_reviewed_at": "2025-12-10T15:46:48Z",
    "severity": "MODERATE"
}

References

Affected packages

Maven

org.xwiki.platform:xwiki-platform-flamingo-skin-resources

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-skin-resources; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-skin-resources

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2-milestone-1

Fixed

16.10.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-7vpr-jm38-wr7w/GHSA-7vpr-jm38-wr7w.json"

org.xwiki.platform:xwiki-platform-flamingo-skin-resources

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-skin-resources; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-skin-resources

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.0.0-rc-1

Fixed

17.4.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-7vpr-jm38-wr7w/GHSA-7vpr-jm38-wr7w.json"

org.xwiki.platform:xwiki-platform-web-templates

Package

Name: org.xwiki.platform:xwiki-platform-web-templates; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-web-templates

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2-milestone-1

Fixed

16.10.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-7vpr-jm38-wr7w/GHSA-7vpr-jm38-wr7w.json"

org.xwiki.platform:xwiki-platform-web-templates

Package

Name: org.xwiki.platform:xwiki-platform-web-templates; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-web-templates

Affected ranges

Type: ECOSYSTEM
Events: Introduced

17.0.0-rc-1

Fixed

17.4.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-7vpr-jm38-wr7w/GHSA-7vpr-jm38-wr7w.json"