XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack through a deletion confirmation message. The attacker-supplied script is executed when the victim clicks the "No" button. This issue is fixed in versions 16.10.10 and 17.4.2 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven | >= 6.2-milestone-1, < 16.10.10 | 16.10.10 |
org.xwiki.platform:xwiki-platform-flamingo-skin-resourcesMaven | >= 17.0.0-rc-1, < 17.4.2 | 17.4.2 |
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 6.2-milestone-1, < 16.10.10 | 16.10.10 |
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 17.0.0-rc-1, < 17.4.2 | 17.4.2 |
Affected products
1- Range: org.xwiki.platform:xwiki-platform-flamingo-skin-resources >= 6.2-milestone-1, < 16.10.10
Patches
1cb578b1b2910XWIKI-23244: Invalid HTML in confirmation pages
2 files changed · +8 −2
xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/macros.vm+4 −1 modified@@ -47,7 +47,10 @@ #macro(xwikimessagebox $title $message $urlyes $urlno $msgyes $msgno) #xwikimessageboxstart($title $message) - <div class="buttons"><a href="$urlyes" class="buttonwrapper"><input type="button" class="button" value="$msgyes" onclick="location='$urlyes'; return false;"/></a> <a href="$urlno" class="buttonwrapper"><input type="button" class="button secondary" value="$msgno" onclick="location='$urlno'; return false;"/></a></div> + <div class="buttons"> + <span class="buttonwrapper"><a href="$urlyes" class="button">$msgyes</a></span> + <span class="buttonwrapper"><a href="$urlno" class="button secondary">$msgno</a></span> + </div> #xwikimessageboxend() #end
xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm+4 −1 modified@@ -926,7 +926,10 @@ $doc.display("content", $obj) #macro(xwikimessagebox $title $message $urlyes $urlno $msgyes $msgno) #xwikimessageboxstart($title $message) - <div class="buttons"><a href="$urlyes" class="buttonwrapper"><input type="button" class="button" value="$msgyes" onclick="location='$urlyes'; return false;"/></a><a href="$urlno" class="buttonwrapper"><input type="button" class="button" value="$msgno" onclick="location='$urlno'; return false;"/></a></div> + <div class="buttons"> + <span class="buttonwrapper"><a href="$urlyes" class="button">$msgyes</a></span> + <span class="buttonwrapper"><a href="$urlno" class="button">$msgno</a></span> + </div> #xwikimessageboxend() #end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7vpr-jm38-wr7wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66472ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7wghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-23244ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.