xwiki-platform up to 16.10.3/17.1.0-rc0 improper authorization

Summaryinfo

A vulnerability classified as critical has been found in xwiki-platform up to 16.10.3/17.1.0-rc0. This vulnerability affects unknown code. The manipulation leads to improper authorization. This vulnerability is uniquely identified as CVE-2025-48063. The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in xwiki-platform up to 16.10.3/17.1.0-rc0. This issue affects some unknown processing. The manipulation with an unknown input leads to a improper authorization vulnerability. Using CWE to declare the problem leads to CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.

The advisory is shared at github.com. The identification of this vulnerability is CVE-2025-48063 since 05/15/2025. The exploitation is known to be easy. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1548.002 for this issue.

Upgrading to version 16.10.4 or 17.1.0-rc1 eliminates this vulnerability. Applying the patch 2557813aef3b863988d6cca58de996e207086898 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Content Management System

Name

• xwiki-platform

Version

• 16.10.0
• 16.10.1
• 16.10.2
• 16.10.3
• 17.1.0-rc0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion