Moderate severityNVD Advisory· Published Jun 13, 2025· Updated Jun 13, 2025
XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right
CVE-2025-49583
Description
XWiki is a generic wiki platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationEmailRendererClass object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can be executed, though, as while these templates allow Velocity code, the existing generic analyzer already warns admins before editing Velocity code. The main impact would thus be to send spam, e.g., with phishing links to other users or to hide notifications about other attacks. Note that warnings before editing documents with dangerous properties have only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the respective XClass properties.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-notifications-notifiers-defaultMaven | < 15.10.16 | 15.10.16 |
org.xwiki.platform:xwiki-platform-notifications-notifiers-defaultMaven | >= 16.0.0-rc-1, < 16.4.7 | 16.4.7 |
org.xwiki.platform:xwiki-platform-notifications-notifiers-defaultMaven | >= 16.5.0-rc-1, < 16.10.2 | 16.10.2 |
Affected products
1- Range: < 15.10.16
Patches
13d96bf3ceb16XWIKI-22471: Add a required rights analyzer for XWiki.Notifications.Code.NotificationEmailRendererClass
4 files changed · +118 −0
xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-notifiers/xwiki-platform-notifications-notifiers-default/src/main/java/org/xwiki/notifications/notifiers/internal/email/WikiEmailNotificationRendererRequiredRightAnalyzer.java+59 −0 added@@ -0,0 +1,59 @@ +/* + * See the NOTICE file distributed with this work for additional + * information regarding copyright ownership. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.xwiki.notifications.notifiers.internal.email; + +import java.util.List; + +import javax.inject.Inject; +import javax.inject.Named; +import javax.inject.Singleton; + +import org.xwiki.component.annotation.Component; +import org.xwiki.platform.security.requiredrights.RequiredRight; +import org.xwiki.platform.security.requiredrights.RequiredRightAnalysisResult; +import org.xwiki.platform.security.requiredrights.RequiredRightAnalyzer; +import org.xwiki.platform.security.requiredrights.RequiredRightsException; +import org.xwiki.platform.security.requiredrights.internal.analyzer.ObjectPropertyRequiredRightAnalyzer; + +import com.xpn.xwiki.objects.BaseObject; + +/** + * {@link RequiredRightAnalyzer} for {@code XWiki.Notifications.Code.NotificationEmailRendererClass} objects. + * + * @version $Id$ + * @since 15.10.16 + * @since 16.4.7 + * @since 16.10.2 + */ +@Component +@Named(WikiEmailNotificationRendererDocumentInitializer.XCLASS_NAME) +@Singleton +public class WikiEmailNotificationRendererRequiredRightAnalyzer implements RequiredRightAnalyzer<BaseObject> +{ + @Inject + private ObjectPropertyRequiredRightAnalyzer objectPropertyRequiredRightAnalyzer; + + @Override + public List<RequiredRightAnalysisResult> analyze(BaseObject object) throws RequiredRightsException + { + return this.objectPropertyRequiredRightAnalyzer.analyzeAllPropertiesAndAddObjectResult(object, + RequiredRight.WIKI_ADMIN, "notifications.notifiers.emailNotificationRendererRequiredRights"); + } +}
xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-notifiers/xwiki-platform-notifications-notifiers-default/src/main/resources/ApplicationResources.properties+2 −0 modified@@ -47,3 +47,5 @@ notifications.notifiers.wikiNotificationDisplayerRequiredRight=Wiki notification administration rights. notifications.notifiers.wikiNotificationDisplayerRequiredRightWithScript=Wiki notification displayer objects require \ wiki administration rights, the Velocity code in the template script might additionally require programming right. +notifications.notifiers.emailNotificationRendererRequiredRights=Email notification renderer objects require wiki \ + administration rights. \ No newline at end of file
xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-notifiers/xwiki-platform-notifications-notifiers-default/src/main/resources/META-INF/components.txt+1 −0 modified@@ -17,5 +17,6 @@ org.xwiki.notifications.notifiers.internal.email.WatchlistLeftoversCleaner org.xwiki.notifications.notifiers.internal.email.WikiEmailNotificationRenderer org.xwiki.notifications.notifiers.internal.email.WikiEmailNotificationRendererComponentBuilder org.xwiki.notifications.notifiers.internal.email.WikiEmailNotificationRendererDocumentInitializer +org.xwiki.notifications.notifiers.internal.email.WikiEmailNotificationRendererRequiredRightAnalyzer org.xwiki.notifications.notifiers.internal.email.live.DefaultPrefilteringLiveMimeMessageIterator org.xwiki.notifications.notifiers.internal.email.live.LiveNotificationEmailEventFilter
xwiki-platform-core/xwiki-platform-notifications/xwiki-platform-notifications-notifiers/xwiki-platform-notifications-notifiers-default/src/test/java/org/xwiki/notifications/notifiers/internal/email/WikiEmailNotificationRendererRequiredRightAnalyzerTest.java+56 −0 added@@ -0,0 +1,56 @@ +/* + * See the NOTICE file distributed with this work for additional + * information regarding copyright ownership. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.xwiki.notifications.notifiers.internal.email; + +import org.junit.jupiter.api.Test; +import org.xwiki.platform.security.requiredrights.RequiredRight; +import org.xwiki.platform.security.requiredrights.internal.analyzer.ObjectPropertyRequiredRightAnalyzer; +import org.xwiki.test.junit5.mockito.ComponentTest; +import org.xwiki.test.junit5.mockito.InjectMockComponents; +import org.xwiki.test.junit5.mockito.MockComponent; + +import com.xpn.xwiki.objects.BaseObject; + +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; + +/** + * Component test for {@link WikiEmailNotificationRendererRequiredRightAnalyzer}. + * + * @version $Id$ + */ +@ComponentTest +class WikiEmailNotificationRendererRequiredRightAnalyzerTest +{ + @InjectMockComponents + private WikiEmailNotificationRendererRequiredRightAnalyzer analyzer; + + @MockComponent + private ObjectPropertyRequiredRightAnalyzer objectPropertyRequiredRightAnalyzer; + + @Test + void analyze() throws Exception + { + BaseObject object = mock(); + this.analyzer.analyze(object); + verify(this.objectPropertyRequiredRightAnalyzer).analyzeAllPropertiesAndAddObjectResult(object, + RequiredRight.WIKI_ADMIN, "notifications.notifiers.emailNotificationRendererRequiredRights"); + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-ff6v-w58f-v97wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49583ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/3d96bf3ceb167bf0213d63f0be1f7e1732eb0a92ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-ff6v-w58f-v97wghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-22471ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.