Stored Cross-Site Scripting Vulnerabilities in XWiki Administration Interface
CVE-2025-51990

4.8MEDIUM

Key Information:

Vendor: XWiki SAS
Status: XWiki
Vendor: CVE Published:; 20 August 2025

What is CVE-2025-51990?

Versions of XWiki up to 17.3.0 contain multiple stored Cross-Site Scripting (XSS) vulnerabilities within the Administration interface, particularly in the Presentation section of Global Preferences. Authenticated administrators can manipulate HTML Meta Info, Footer Copyright, and Footer Version fields by injecting arbitrary JavaScript payloads. These malicious inputs are stored and later rendered on public-facing pages without adequate output encoding or sanitization. Consequently, this allows persistent execution of injected scripts in the browser context of visitors, including both logged-in and guest users, making exploitation straightforward. Attackers can hijack sessions, steal credentials, or execute unauthorized actions without requiring user interaction, posing severe risks in deployments where administrator credentials might be exposed.

References

https://github.com/malcxlmj/cve-writeups/blob/main/CVE-20...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Jun 16, 2025

XWiki SAS

What is CVE-2025-51990?

References

CVSS V3.1

Timeline