Remote Code Execution Vulnerability in XWiki Platform by XWiki
CVE-2025-48063

4.8MEDIUM

Key Information:

Vendor

Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
21 May 2025

What is CVE-2025-48063?

A vulnerability in the XWiki platform allows users with edit rights on documents to incorrectly assign programming rights through the enforcement of required rights. This misconfiguration can lead to the execution of malicious code if exploited, effectively undermining the security benefits intended by the restriction on rights assignment. Users with programming rights editing the vulnerable documents may trigger this flaw, permitting unauthorized code execution. To mitigate this risk, users are advised to update to versions 16.10.4 or 17.1.0RC1, as no workarounds are available.

Affected Version(s)

xwiki-platform >= 16.10.0-rc-1, < 16.10.4 < 16.10.0-rc-1, 16.10.4

xwiki-platform >= 17.0.0-rc-1, < 17.1.0-rc-1 < 17.0.0-rc-1, 17.1.0-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/2557813aef...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-22859
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-48063 : Remote Code Execution Vulnerability in XWiki Platform by XWiki