Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-j7p2-87q3-44w7: XWiki does not require right warnings for notification displayer objects

Impact

When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful.

Patches

This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

Workarounds

We’re not aware of any real workarounds apart from just being careful with editing documents previously edited by untrusted users as a user with script, admin or programming right.

ghsa
Open in Source
#xss#vulnerability#jira

Impact

When a user without script right creates a document with an XWiki.Notifications.Code.NotificationDisplayerClass object, and later an admin edits and saves that document, the possibly malicious content of that object is output as raw HTML, allowing XSS attacks. While the notification displayer executes Velocity, the existing generic analyzer already warns admins before editing Velocity code. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful.

Patches

This vulnerability has been patched in XWiki 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns the admin before editing about the possibly malicious code.

Workarounds

We’re not aware of any real workarounds apart from just being careful with editing documents previously edited by untrusted users as a user with script, admin or programming right.

References

  • GHSA-j7p2-87q3-44w7
  • https://nvd.nist.gov/vuln/detail/CVE-2025-49587
  • xwiki/xwiki-platform@55c5d56
  • https://jira.xwiki.org/browse/XWIKI-22470

ghsa: Latest News

GHSA-7f8r-222p-6f5g: MCP Inspector proxy server lacks authentication between the Inspector client and proxy
ghsa