VYPR
Get started
← All advisories
Critical severity9.1NVD Advisory· Published Mar 7, 2025· Updated Apr 15, 2026

CVE-2025-27603

CVE-2025-27603

Description

XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability is fixed in 1.2.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.xwiki.confluencepro:application-confluence-migrator-pro-uiMaven
>= 1.0, < 1.2.01.2.0

Patches

2
af210fc0ada7
https://github.com/xwikisas/application-confluence-migrator-provia osv
36cef2271bd4

[Misc] Improve escaping.

https://github.com/xwikisas/application-confluence-migrator-protrrentyOct 18, 2023via ghsa
commit
1 file changed · +8 8
  • application-confluence-migrator-pro-ui/src/main/resources/ConfluenceMigratorPro/Code/MigrationSheet.xml+8 8 modified
    @@ -66,15 +66,15 @@
   #else
     #set ($propertyDescriptorInputId = "qproperty_outputProperties[]")
   #end
-  #set ($propertyDescriptorLabel = $services.localization.render("confluencepro.job.question.advanced.${propertyDescriptorId}"))
+  #set ($propertyDescriptorLabel = $escapetool.xml($services.localization.render("confluencepro.job.question.advanced.${propertyDescriptorId}")))
   #if ("$!propertyDescriptorLabel" == "confluencepro.job.question.advanced.$propertyDescriptorId")
     #set ($propertyDescriptorLabel = $propertyDescriptor.name)
   #end
-  #set ($propertyDescriptorAbout = $services.localization.render("confluencepro.job.question.advanced.${propertyDescriptorId}.description"))
+  #set ($propertyDescriptorAbout = $escapetool.xml($services.localization.render("confluencepro.job.question.advanced.${propertyDescriptorId}.description")))
   #if ("$!propertyDescriptorAbout" == "confluencepro.job.question.advanced.${propertyDescriptorId}.description")
     #set ($propertyDescriptorAbout = $propertyDescriptor.description)
   #end
-  #set ($propertyDescriptorSupportedFormats = $services.localization.render("confluencepro.job.question.advanced.${propertyDescriptorId}.supportedformats"))
+  #set ($propertyDescriptorSupportedFormats = $escapetool.xml($services.localization.render("confluencepro.job.question.advanced.${propertyDescriptorId}.supportedformats")))
   &lt;dt&gt;
     &lt;label for="$!escapetool.xml($propertyDescriptorId)"&gt;$propertyDescriptorLabel&lt;/label&gt;
     #if ("$!propertyDescriptorAbout" != '')
@@ -140,10 +140,10 @@
     &lt;div class="cfmTitleIcon"&gt;
       $services.icon.renderHTML('caret-down')
     &lt;/div&gt;
-    $services.localization.render('confluencepro.job.question.advanced.link')
+    $escapetool.xml($services.localization.render('confluencepro.job.question.advanced.link'))
   &lt;/a&gt;
   &lt;div class="xform collapse confluence-migrator-collapse" id="advancedInputFields"&gt;
-    &lt;h2&gt;$services.localization.render('confluencepro.job.question.advanced.input')&lt;/h2&gt;
+    &lt;h2&gt;$escapetool.xml($services.localization.render('confluencepro.job.question.advanced.input'))&lt;/h2&gt;
     &lt;dl&gt;
       &lt;input type="hidden" id="cfm-input-properties" name="ConfluenceMigratorPro.Code.MigrationClass_0_inputProperties" /&gt;
       #set ($descriptor = $services.filter.getInputFilterStreamDescriptor('confluence+xml'))
@@ -165,7 +165,7 @@
     &lt;div class="box warningmessage"&gt;
       &lt;p&gt;$escapetool.xml($services.localization.render('confluencepro.job.onlyrights.warning'))&lt;/p&gt;
     &lt;/div&gt;
-    &lt;h2&gt;$services.localization.render('confluencepro.job.question.advanced.output')&lt;/h2&gt;
+    &lt;h2&gt;$escapetool.xml($services.localization.render('confluencepro.job.question.advanced.output'))&lt;/h2&gt;
     &lt;dl&gt;
       &lt;input type="hidden" id="cfm-output-properties" name="ConfluenceMigratorPro.Code.MigrationClass_0_outputProperties" /&gt;
       #set ($descriptor = $services.filter.getOutputFilterStreamDescriptor('xwiki+instance'))
@@ -416,10 +416,10 @@
     &lt;/div&gt;
     #set($titleKey = "${translationPrefix}.label")
     #if ($services.localization.get($titleKey))
-      &lt;h2&gt;$services.localization.render($titleKey)&lt;/h2&gt;
+      &lt;h2&gt;$escapetool.xml($services.localization.render($titleKey))&lt;/h2&gt;
       #set($titleHintKey = "${translationPrefix}.hint")
       #if ($services.localization.get($titleHintKey))
-        &lt;p class="text-muted small"&gt;$services.localization.render($titleHintKey)&lt;/p&gt;
+        &lt;p class="text-muted small"&gt;$escapetool.xml($services.localization.render($titleHintKey))&lt;/p&gt;
       #end
     #end
     #if (!$finished)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.