EUVD-2025-18286CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description
XWiki is a generic wiki platform. From 8.2 and 7.4.5 until 17.1.0-rc-1, 16.10.4, and 16.4.7, pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability is fixed in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Analysis
Privilege escalation vulnerability in XWiki where pages can unexpectedly gain script or programming rights when they contain links to pages that are subsequently renamed or moved. This allows attackers with low privileges to execute arbitrary scripts embedded in XObjects that should have been restricted, potentially leading to complete system compromise. The vulnerability affects XWiki versions 8.2 through 17.0.x and requires user interaction (page visit) to trigger, with patches available in 17.1.0-rc-1, 16.10.4, and 16.4.7.
Technical Context
XWiki is a Java-based collaborative wiki platform that supports embedded scripting through XObjects (custom data structures) and Velocity/Groovy templating. The vulnerability stems from a privilege escalation flaw (CWE-266: Improper Privilege Management) in the link resolution and page renaming/moving mechanisms. When a page containing a link is accessed after its target has been renamed or moved, the platform fails to properly re-evaluate and maintain the security context of embedded scripts within XObjects. The affected component likely involves the page rendering engine and link resolution subsystem that does not properly isolate privilege contexts during page metadata updates. The vulnerability chain requires that XObjects with script content remain associated with pages even after their link targets change, bypassing the intended privilege restrictions that would normally prevent script execution in user-editable content.
Affected Products
XWiki Community Edition and Enterprise Edition: versions 8.2 through 17.0.x (all series). Specifically: 8.2–8.4.x, 9.0–9.11.x, 10.0–10.11.x, 11.0–11.10.x, 12.0–12.10.x, 13.0–13.10.x, 14.0–14.10.x, 15.0–15.10.x, 16.0–16.4.6 (patched in 16.4.7), 16.5–16.10.3 (patched in 16.10.4), and 17.0.0–17.0.x (patched in 17.1.0-rc-1). CPE representation: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* with version constraints >=8.2 and <17.1.0-rc-1 (excluding 16.4.7, 16.10.4). Patch availability: Vendor released fixes in maintenance branches 16.4.7, 16.10.4, and development/RC branch 17.1.0-rc-1.
Remediation
Immediate actions: (1) Upgrade to patched versions: 17.1.0-rc-1 (development/RC), 16.10.4 (LTS), or 16.4.7 (legacy) depending on deployment. (2) If immediate patching is not feasible, implement access controls to restrict page creation and link modification privileges to trusted users only. (3) Audit all pages containing links to recently renamed/moved pages and review embedded XObjects for script content. (4) Monitor page rename/move operations and cross-reference with pages containing links to detect exploitation attempts. (5) Disable Groovy/Velocity script execution in XObjects if not required for operational needs, using XWiki's scripting restrictions. (6) Apply the XWiki security advisory patch when available from xwiki.org/security advisories. Workaround (temporary): Restrict the 'Rename' and 'Move' page permissions to administrators only, reducing the attack surface. This does not eliminate the vulnerability for admin-performed operations but limits exposure.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today