High severityNVD Advisory· Published Jun 13, 2025· Updated Jun 13, 2025
XWiki allows privilege escalation through link refactoring
CVE-2025-49580
Description
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-refactoring-defaultMaven | >= 17.0.0-rc-1, < 17.1.0-rc-1 | 17.1.0-rc-1 |
org.xwiki.platform:xwiki-platform-refactoring-defaultMaven | >= 16.5.0-rc-1, < 16.10.4 | 16.10.4 |
org.xwiki.platform:xwiki-platform-refactoring-defaultMaven | >= 8.2, < 16.4.7 | 16.4.7 |
org.xwiki.platform:xwiki-platform-refactoring-defaultMaven | >= 7.4.5, < 16.4.7 | 16.4.7 |
Affected products
2- ghsa-coordsRange: >= 17.0.0-rc-1, < 17.1.0-rc-1
- Range: >= 17.0.0-rc-1, < 17.1.0-rc-1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jm43-hrq7-r7w6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49580ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/ab209acd780da69a4c5ff77ff011efd698273cecghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-jm43-hrq7-r7w6ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-22836ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.