Description
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x7wv-5qg4-vmr6
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/1a6f1b2e050770331c9a63d12a3fd8a36d199f62
Exploit, Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-22460
Scores
CVSS v3
9.0
EPSS
0.0224
EPSS Percentile
84.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-component-wiki
15.9-rc-1 - 15.10.12Maven
xwiki/xwiki
15.9 - 15.10.12
Published
Apr 30, 2025
Tracked Since
Feb 18, 2026