VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published May 21, 2025· Updated May 21, 2025

XWiki Platform Security Authorization Bridge allows users with just edit right can enforce required rights with programming right

CVE-2025-48063

Description

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-security-authorization-bridgeMaven
>= 16.10.0-rc-1, < 16.10.416.10.4
org.xwiki.platform:xwiki-platform-security-authorization-bridgeMaven
>= 17.0.0-rc-1, < 17.1.0-rc-117.1.0-rc-1

Affected products

1

Patches

1
2557813aef3b

XWIKI-22859: RightsFilterListener error when required right scope is null

https://github.com/xwiki/xwiki-platformMichael HamannFeb 6, 2025via ghsa
commit
2 files changed · +25 1
  • xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/main/java/org/xwiki/security/authorization/internal/RightsFilterListener.java+1 1 modified
    @@ -120,7 +120,7 @@ private void checkModifiedRequiredRights(DocumentReference user, XWikiDocument d
                 } catch (AccessDeniedException e) {
                     event.cancel(
                         "The author doesn't have the right [%s] on the [%s] level that has been specified as required."
-                            .formatted(requiredRight.right().getName(), requiredRight.scope().getLowerCase()));
+                            .formatted(requiredRight.right().getName(), requiredRight.scope()));
                     break;
                 }
             }
  • xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authorization/xwiki-platform-security-authorization-bridge/src/test/java/org/xwiki/security/authorization/internal/RightsFilterListenerTest.java+24 0 modified
    @@ -233,6 +233,30 @@ void checkEnforcedRequiredRights(boolean enableBefore) throws AccessDeniedExcept
         verify(this.authorization, never()).checkAccess(eq(Right.PROGRAM), any(), any());
     }
 
+    @Test
+    void checkNewEnforcedProgrammingRight() throws Exception
+    {
+        XWikiDocument document = createTestDocument();
+        document.setOriginalDocument(document.clone());
+        BaseObject rightObject =
+            document.newXObject(XWikiRightsDocumentInitializer.CLASS_REFERENCE, this.oldcore.getXWikiContext());
+        rightObject.setStringValue("levels", "programming");
+
+        DocumentRequiredRights requiredRights = new DocumentRequiredRights(true,
+            Set.of(new DocumentRequiredRight(Right.PROGRAM, null)));
+
+        when(this.requiredRightsReader.readRequiredRights(same(document))).thenReturn(requiredRights);
+        when(this.requiredRightsReader.readRequiredRights(same(document.getOriginalDocument())))
+            .thenReturn(DocumentRequiredRights.EMPTY);
+
+        doThrow(AccessDeniedException.class).when(this.authorization).checkAccess(Right.PROGRAM, null,
+            null);
+
+        UserUpdatingDocumentEvent event = new UserUpdatingDocumentEvent();
+        this.listener.onEvent(event, document, null);
+        assertTrue(event.isCanceled());
+    }
+
     @Test
     void checkEnforcedButAllowedRequiredRights() throws AccessDeniedException
     {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.