cvelistv5 - cve-2025-23025

cve-2025-23025

Vulnerability from cvelistv5

Published

2025-01-14 17:42

Modified

2025-01-15 15:30

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).

References

▼	URL	Tags
	security-advisories@github.com	https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection
	security-advisories@github.com	https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor
	security-advisories@github.com	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg
	security-advisories@github.com	https://jira.xwiki.org/browse/XWIKI-21949

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: >= 13.9-rc-1, < 15.10.12 Version: >= 16.0.0, < 16.4.1 Version: >= 16.5.0, < 16.6.0-rc-1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-23025",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-15T15:29:51.884454Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-15T15:30:06.298Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 13.9-rc-1, \u003c 15.10.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.0.0, \u003c 16.4.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 16.5.0, \u003c 16.6.0-rc-1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-14T17:42:14.304Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg"
        },
        {
          "name": "https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection"
        },
        {
          "name": "https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-21949",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-21949"
        }
      ],
      "source": {
        "advisory": "GHSA-rmm7-r7wr-xpfg",
        "discovery": "UNKNOWN"
      },
      "title": "Privilege escalation (PR) through realtime WYSIWYG editing in XWiki"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-23025",
    "datePublished": "2025-01-14T17:42:14.304Z",
    "dateReserved": "2025-01-10T15:11:08.880Z",
    "dateUpdated": "2025-01-15T15:30:06.298Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23025\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-01-14T18:16:05.650\",\"lastModified\":\"2025-01-14T18:16:05.650\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-21949\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-23025\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-15T15:29:51.884454Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-15T15:29:58.292Z\"}}], \"cna\": {\"title\": \"Privilege escalation (PR) through realtime WYSIWYG editing in XWiki\", \"source\": {\"advisory\": \"GHSA-rmm7-r7wr-xpfg\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"xwiki\", \"product\": \"xwiki-platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 13.9-rc-1, \u003c 15.10.12\"}, {\"status\": \"affected\", \"version\": \"\u003e= 16.0.0, \u003c 16.4.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 16.5.0, \u003c 16.6.0-rc-1\"}]}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg\", \"name\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection\", \"name\": \"https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor\", \"name\": \"https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-21949\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-21949\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862: Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-01-14T17:42:14.304Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-23025\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-15T15:30:06.298Z\", \"dateReserved\": \"2025-01-10T15:11:08.880Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-01-14T17:42:14.304Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-23025

Vulnerability from fkie_nvd

Published

2025-01-14 18:16

Modified

2025-01-14 18:16

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection
	security-advisories@github.com	https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor
	security-advisories@github.com	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg
	security-advisories@github.com	https://jira.xwiki.org/browse/XWIKI-21949

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui)."
    },
    {
      "lang": "es",
      "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de tiempo de ejecuci\u00f3n para aplicaciones creado sobre ella. NOTA: La extensi\u00f3n Realtime WYSIWYG Editor era **experimental**, y por lo tanto **no recomendada**, en las versiones afectadas por esta vulnerabilidad. Se ha habilitado de forma predeterminada, y por lo tanto se recomienda, a partir de XWiki 16.9.0. Un usuario con solo **derecho de edici\u00f3n** puede unirse a una sesi\u00f3n de edici\u00f3n en tiempo real en la que otros, que ya estaban all\u00ed o que se unir\u00e1n m\u00e1s tarde, tienen **derechos de acceso de MASK15**** o **programaci\u00f3n**. Este usuario puede insertar Script macros de renderizado** que se ejecutan para esos usuarios en la sesi\u00f3n en tiempo real mediante el script MASK13** o los derechos de programaci\u00f3n. Los Scripts insertados se pueden utilizar para obtener m\u00e1s derechos de acceso. Esta vulnerabilidad se ha corregido en XWiki 15.10.2, 16.4.1 y 16.6.0-rc-1. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar pueden deshabilitar la edici\u00f3n WYSIWYG en tiempo real deshabilitando el complemento CKEditor ``xwiki-realtime`` desde la secci\u00f3n de administraci\u00f3n del editor WYSIWYG o desinstalar la extensi\u00f3n Realtime WYSIWYG Editor (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui)."
    }
  ],
  "id": "CVE-2025-23025",
  "lastModified": "2025-01-14T18:16:05.650",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-14T18:16:05.650",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://jira.xwiki.org/browse/XWIKI-21949"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-862"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

wid-sec-w-2025-0089

Vulnerability from csaf_certbund

Published

2025-01-14 23:00

Modified

2025-01-14 23:00

Summary

xwiki: Schwachstelle ermöglicht Privilegieneskalation

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

XWiki ist eine Open-Source-Wiki-Software-Plattform, für die Erstellung und Verwaltung von Wikis und Knowledge-Management-Systemen

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in xwiki ausnutzen, um seine Privilegien zu erhöhen.

Betroffene Betriebssysteme

- Sonstiges - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "XWiki ist eine Open-Source-Wiki-Software-Plattform, f\u00fcr die Erstellung und Verwaltung von Wikis und Knowledge-Management-Systemen",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in xwiki ausnutzen, um seine Privilegien zu erh\u00f6hen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-0089 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-0089.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-0089 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-0089"
      },
      {
        "category": "external",
        "summary": "XWiki Bug XWIKI-21949 vom 2025-01-14",
        "url": "https://jira.xwiki.org/browse/XWIKI-21949"
      }
    ],
    "source_lang": "en-US",
    "title": "xwiki: Schwachstelle erm\u00f6glicht Privilegieneskalation",
    "tracking": {
      "current_release_date": "2025-01-14T23:00:00.000+00:00",
      "generator": {
        "date": "2025-01-15T12:18:18.859+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.10"
        }
      },
      "id": "WID-SEC-W-2025-0089",
      "initial_release_date": "2025-01-14T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-01-14T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c15.10.12",
                "product": {
                  "name": "Open Source xwiki \u003c15.10.12",
                  "product_id": "T040188"
                }
              },
              {
                "category": "product_version",
                "name": "15.10.12",
                "product": {
                  "name": "Open Source xwiki 15.10.12",
                  "product_id": "T040188-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:15.10.12"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.4.1",
                "product": {
                  "name": "Open Source xwiki \u003c16.4.1",
                  "product_id": "T040189"
                }
              },
              {
                "category": "product_version",
                "name": "16.4.1",
                "product": {
                  "name": "Open Source xwiki 16.4.1",
                  "product_id": "T040189-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.4.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c16.6.0-rc-1",
                "product": {
                  "name": "Open Source xwiki \u003c16.6.0-rc-1",
                  "product_id": "T040190"
                }
              },
              {
                "category": "product_version",
                "name": "16.6.0-rc-1",
                "product": {
                  "name": "Open Source xwiki 16.6.0-rc-1",
                  "product_id": "T040190-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:open_source:xwiki:16.6.0-rc-1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "xwiki"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-23025",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in xwiki. Dieser Fehler besteht aufgrund einer unsachgem\u00e4\u00dfen Behandlung von Makroparametern und -inhalten, die eine erneute Darstellung der Makroausgabe f\u00fcr jeden Teilnehmer ausl\u00f6sen. Ein entfernter, authentisierter Angreifer ohne Skriptrechte kann diese Schwachstelle ausnutzen, um erh\u00f6hte Rechte zu erlangen und somit Skripte auszuf\u00fchren. Eine erfolgreiche Ausnutzung erfordert eine Benutzerinteraktion."
        }
      ],
      "product_status": {
        "known_affected": [
          "T040190",
          "T040189",
          "T040188"
        ]
      },
      "release_date": "2025-01-14T23:00:00.000+00:00",
      "title": "CVE-2025-23025"
    }
  ]
}

ghsa-rmm7-r7wr-xpfg

Vulnerability from github

Published

2025-01-14 16:00

Modified

2025-01-14 21:20

Severity ?

9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Summary

XWiki Realtime WYSIWYG Editor extension allows privilege escalation (PR) through realtime WYSIWYG editing

Details

Impact

NOTE: The Realtime WYSIWYG Editor extension was experimental, and thus not recommended, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0.

A user with only edit right can join a realtime editing session where others, that where already there or that may join later, have script or programming access rights. This user can then insert script rendering macros that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights.

Here's an example that works with XWiki 15.10.9+ and 16.2.0+:

the attacker starts editing a wiki page in realtime (for which they have edit right)
another user, with script or programming access right joins the editing session (e.g. by clicking on a link / URL provided by the attacker)
the attacker inserts a script rendering macro, say {{velocity}}I can run scripts{{/velocity}}, in the edited content, using the WYSIWYG editor UI
the edited content is reloaded for both the attacker and the other user, in order to render the inserted macro
the attacker gets a rendering error message
the other user sees "I can run scripts"

The attacker can obviously use more advanced scripts to gain access rights.

Before XWiki 15.10.9 and 16.2.0 the edited content was not re-rendered for all the users in the editing sesesion, but only for the user that inserted the macro. This means that in order to reproduce the problem the other user had to insert or update a macro or save and view the content.

Patches

This vulnerability has been patched in XWiki 15.10.12, 16.4.1 and 16.6.0-rc-1.

Workarounds

To avoid this vulnerability you can:

either disable the realtime WYSIWYG editing by disabling the xwiki-realtime CKEditor plugin from the WYSIWYG editor administration section
or uninstall the Realtime WYSIWYG Editor extension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui)

References

https://jira.xwiki.org/browse/XWIKI-21949

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.9-rc-1"
            },
            {
              "fixed": "15.10.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.6.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-23025"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-14T16:00:36Z",
    "nvd_published_at": "2025-01-14T18:16:05Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nNOTE: The [Realtime WYSIWYG Editor](https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor/) extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0.\n\nA user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights.\n\nHere\u0027s an example that works with XWiki 15.10.9+ and 16.2.0+:\n\n* the attacker starts editing a wiki page in realtime (for which they have edit right)\n* another user, with script or programming access right joins the editing session (e.g. by clicking on a link / URL provided by the attacker)\n* the attacker inserts a script rendering macro, say ``{{velocity}}I can run scripts{{/velocity}}``, in the edited content, using the WYSIWYG editor UI\n* the edited content is reloaded for both the attacker and the other user, in order to render the inserted macro\n  * the attacker gets a rendering error message\n  * the other user sees \"I can run scripts\"\n\nThe attacker can obviously use more advanced scripts to gain access rights.\n\nBefore XWiki 15.10.9 and 16.2.0 the edited content was not re-rendered for all the users in the editing sesesion, but only for the user that inserted the macro. This means that in order to reproduce the problem the other user had to insert or update a macro or save and view the content.\n\n### Patches\n\nThis vulnerability has been patched in XWiki 15.10.12, 16.4.1 and 16.6.0-rc-1.\n\n### Workarounds\n\nTo avoid this vulnerability you can:\n\n* either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from [the WYSIWYG editor administration section](https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection)\n* or uninstall the [Realtime WYSIWYG Editor](https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor/) extension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui)\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-21949\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-rmm7-r7wr-xpfg",
  "modified": "2025-01-14T21:20:22Z",
  "published": "2025-01-14T16:00:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmm7-r7wr-xpfg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23025"
    },
    {
      "type": "WEB",
      "url": "https://extensions.xwiki.org/xwiki/bin/view/Extension/CKEditor+Integration#HAdministrationSection"
    },
    {
      "type": "WEB",
      "url": "https://extensions.xwiki.org/xwiki/bin/view/Extension/Realtime%20WYSIWYG%20Editor"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-21949"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Realtime WYSIWYG Editor extension allows privilege escalation (PR) through realtime WYSIWYG editing"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2025-23025

Vulnerability from cvelistv5

fkie_cve-2025-23025

Vulnerability from fkie_nvd

wid-sec-w-2025-0089

Vulnerability from csaf_certbund

ghsa-rmm7-r7wr-xpfg

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

Tags

Sightings

Nomenclature