Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-49587

CVE-2025-49587: XWiki Platform XSS Vulnerability

CVE-2025-49587 is a cross-site scripting flaw in XWiki Platform that allows attackers to inject malicious code through notification displayer objects. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-49587 Overview

CVE-2025-49587 is a stored Cross-Site Scripting (XSS) vulnerability in XWiki, an open-source wiki software platform. A user without script right can create a document containing an XWiki.Notifications.Code.NotificationDisplayerClass object. When an administrator later edits and saves that document, the object's content renders as raw HTML, executing attacker-controlled script in the admin's session. The flaw is tracked under [CWE-357: Insufficient UI Warning of Dangerous Operations]. XWiki patched the issue in versions 15.10.16, 16.4.7, and 16.10.2 by adding a required rights analyzer that warns administrators before editing documents with potentially malicious code.

Critical Impact

An unprivileged user can plant malicious notification displayer code that executes in an administrator's browser, leading to account takeover and full wiki compromise through privileged Velocity execution.

Affected Products

  • XWiki Platform versions prior to 15.10.16
  • XWiki Platform 16.x versions prior to 16.4.7
  • XWiki Platform 16.5.x through versions prior to 16.10.2

Discovery Timeline

  • 2025-06-13 - CVE-2025-49587 published to NVD
  • 2025-09-03 - Last updated in NVD database

Technical Details for CVE-2025-49587

Vulnerability Analysis

The vulnerability exists in how XWiki handles the XWiki.Notifications.Code.NotificationDisplayerClass object. This class controls how notifications are rendered to end users and supports Velocity template execution. Any authenticated user without script right can create a document attaching this object with arbitrary HTML or Velocity content.

The stored payload remains dormant until a privileged user edits and saves the affected document. At that point, the notification displayer content is output as raw HTML during rendering, executing within the administrator's authenticated session. Because XWiki notification displayers can execute Velocity, the impact extends beyond client-side script execution to server-side template evaluation under administrator privileges.

Root Cause

The root cause is missing UI-level warnings about dangerous document properties. Before XWiki 15.9, no warnings existed when editing documents with risky properties, and the project documentation simply advised administrators to be careful. Although a generic analyzer warned admins before editing Velocity code, no equivalent analyzer existed for the notification displayer object, leaving administrators unaware of the embedded payload.

Attack Vector

Exploitation requires authenticated access with low privileges and user interaction from a targeted administrator. The attacker creates a document containing a crafted NotificationDisplayerClass object with malicious HTML or Velocity payloads. The attacker then waits for or socially engineers an administrator into editing the document. Upon save, the payload executes with administrative context, enabling session theft, privilege escalation, or arbitrary script execution on the server.

No public proof-of-concept code is available for this issue. Refer to the GitHub Security Advisory GHSA-j7p2-87q3-44w7 and the XWiki JIRA Issue XWIKI-22470 for vendor technical details.

Detection Methods for CVE-2025-49587

Indicators of Compromise

  • Documents containing XWiki.Notifications.Code.NotificationDisplayerClass objects created by non-admin users
  • Unexpected Velocity code or HTML script tags within notification displayer fields
  • Administrator account activity originating from unusual IP addresses following edits of user-created documents
  • New administrative users or modified group memberships immediately after a privileged document save

Detection Strategies

  • Query the XWiki document store for objects of class XWiki.Notifications.Code.NotificationDisplayerClass and review their authorship and content
  • Inspect document revision history for changes made by users without script right that introduce notification objects
  • Monitor HTTP response bodies served to administrator sessions for unexpected inline <script> tags originating from wiki content endpoints

Monitoring Recommendations

  • Enable XWiki audit logging for document creation, object addition, and administrator edit operations
  • Forward XWiki application logs to a centralized log platform and alert on creation of notification displayer objects by low-privileged accounts
  • Track administrator session activity and correlate document edits with subsequent permission or configuration changes

How to Mitigate CVE-2025-49587

Immediate Actions Required

  • Upgrade XWiki to version 15.10.16, 16.4.7, or 16.10.2 or later as appropriate for your release branch
  • Audit all existing documents containing XWiki.Notifications.Code.NotificationDisplayerClass objects and verify their authors and content
  • Restrict document creation privileges to trusted users until the patch is applied
  • Instruct administrators to avoid editing user-created documents without first reviewing their object payloads

Patch Information

The fix is implemented in commit 55c5d568c4dc4619f37397d00d14dcdeab9c252d. The patch adds a required rights analyzer that detects NotificationDisplayerClass objects and warns the administrator before editing about the possibly malicious code. Fixed versions are 15.10.16, 16.4.7, and 16.10.2.

Workarounds

  • Remove or disable the XWiki.Notifications.Code.NotificationDisplayerClass from environments where notification customization is not required
  • Use the wiki object editor to manually inspect document objects before performing edits as an administrator
  • Restrict edit permissions on documents authored by users without script right through programmatic right management
bash
# Configuration example
# Verify installed XWiki version
java -jar xwiki-platform-distribution-*.jar --version

# Example query to enumerate documents with NotificationDisplayerClass objects
# Run from the XWiki admin Scripts page or HQL console:
# select doc.fullName from XWikiDocument doc, BaseObject obj
# where obj.name = doc.fullName
# and obj.className = 'XWiki.Notifications.Code.NotificationDisplayerClass'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne