Description

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CNA:  GitHub, Inc.

CVSS-B 4.8 MEDIUM

Vector:  CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  8.8 HIGH

Vector:  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Hyperlink	Resource
https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp	Patch  Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22859	Exploit  Patch  Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22859	Exploit  Patch  Vendor Advisory

Weakness Enumeration

CWE-ID	CWE Name	Source
NVD-CWE-noinfo	Insufficient Information	NIST
CWE-285	Improper Authorization	GitHub, Inc.

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

3 change records found show changes

Initial Analysis by NIST 6/20/2025 1:38:28 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Added	CWE		NVD-CWE-noinfo
Added	CPE Configuration		OR *cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* versions from (including) 16.10.0 up to (excluding) 16.10.4 *cpe:2.3:a:xwiki:xwiki:17.0.0:-:*:*:*:*:*:* *cpe:2.3:a:xwiki:xwiki:17.0.0:rc1:*:*:*:*:*:*
Added	Reference Type		CISA-ADP: https://jira.xwiki.org/browse/XWIKI-22859 Types: Exploit, Patch, Vendor Advisory
Added	Reference Type		GitHub, Inc.: https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898 Types: Patch
Added	Reference Type		GitHub, Inc.: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp Types: Patch, Vendor Advisory
Added	Reference Type		GitHub, Inc.: https://jira.xwiki.org/browse/XWIKI-22859 Types: Exploit, Patch, Vendor Advisory

CVE Modified by CISA-ADP 5/21/2025 3:16:09 PM

Action	Type	Old Value	New Value
Added	Reference		https://jira.xwiki.org/browse/XWIKI-22859

New CVE Received from GitHub, Inc. 5/21/2025 2:15:53 PM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 1646 characters. View Entire Change Record XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this
Added	CVSS V4.0		AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added	CWE		CWE-285
Added	Reference		https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898
Added	Reference		https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp
Added	Reference		https://jira.xwiki.org/browse/XWIKI-22859