Vulnerability in XWiki Platform's Realtime WYSIWYG Editor Allows Script Injection
CVE-2025-23025

9.1CRITICAL

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
14 January 2025

Summary

XWiki Platform features a Realtime WYSIWYG Editor which allows users with edit rights to participate in collaborative editing sessions. However, if a user with limited permissions joins these sessions, they can inadvertently gain access to scripting capabilities by exploiting scripts introduced by those with higher privileges. This vulnerability arises due to the editor being enabled by default in certain versions, raising the critical concern of unauthorized script execution. Patches are available in versions 15.10.2, 16.4.1, and 16.6.0-rc-1. To mitigate risks, users unable to update should either disable the realtime editing feature through the administrative section or uninstall the extension.

Affected Version(s)

xwiki-platform >= 13.9-rc-1, < 15.10.12 < 13.9-rc-1, 15.10.12

xwiki-platform >= 16.0.0, < 16.4.1 < 16.0.0, 16.4.1

xwiki-platform >= 16.5.0, < 16.6.0-rc-1 < 16.5.0, 16.6.0-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://extensions.xwiki.org/xwiki/bin/view/Extension/CKE...
x_refsource_MISC
https://extensions.xwiki.org/xwiki/bin/view/Extension/Rea...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

.