Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66472

CVE-2025-66472: XWiki Platform XSS Vulnerability

CVE-2025-66472 is a reflected XSS vulnerability in XWiki Platform that allows attackers to execute malicious scripts through a deletion confirmation message. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-66472 Overview

CVE-2025-66472 is a reflected cross-site scripting (XSS) vulnerability [CWE-79] in the XWiki Platform. The flaw resides in the deletion confirmation message rendered by both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates. Attacker-supplied script executes when a victim clicks the "No" button on a maliciously crafted confirmation page. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 are affected. The issue is fixed in versions 16.10.10 and 17.4.2.

Critical Impact

A remote, unauthenticated attacker can inject JavaScript that executes in the victim's browser session, enabling session theft, account takeover, and further wiki compromise.

Affected Products

  • XWiki Platform Flamingo Skin Resources versions 6.2-milestone-1 through 16.10.9
  • XWiki Platform Web Templates versions 17.0.0-rc-1 through 17.4.1
  • XWiki Platform installations that expose deletion confirmation pages to untrusted users

Discovery Timeline

  • 2025-12-10 - CVE-2025-66472 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-66472

Vulnerability Analysis

The vulnerability is a reflected XSS in the xwikimessagebox Velocity macro used to render deletion confirmation pages. The macro accepted URL parameters and injected them directly into HTML attributes and inline onclick handlers without sufficient escaping. When a victim visits a crafted URL and clicks the "No" (cancel) button, the attacker-controlled payload executes in the context of the XWiki application. Because the payload runs in the authenticated user's session, an attacker can hijack sessions, perform privileged wiki actions, or exfiltrate data. The vulnerability requires user interaction but does not require authentication of the attacker.

Root Cause

The root cause is unsafe interpolation of the $urlyes and $urlno parameters inside an onclick="location='$urlyes'; return false;" JavaScript context. Velocity variables placed inside single-quoted JavaScript strings inherited only HTML-attribute escaping, which is insufficient to prevent breaking out of the JavaScript string context. This is a classic mixed-context escaping failure aligned with [CWE-79].

Attack Vector

Exploitation is network-based and requires the victim to click the "No" button on a crafted deletion confirmation URL. An attacker crafts a link containing a malicious xredirect or equivalent URL parameter and delivers it via phishing or an untrusted referrer. The reflected payload renders inside the confirmation dialog and fires on click.

text
// Patch: xwiki-platform-flamingo-skin-resources/.../macros.vm
// Source: https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2

 #macro(xwikimessagebox $title $message $urlyes $urlno $msgyes $msgno)
 #xwikimessageboxstart($title $message)
-      <div class="buttons"><a href="$urlyes" class="buttonwrapper"><input type="button" class="button" value="$msgyes" onclick="location='$urlyes'; return false;"/></a> <a href="$urlno" class="buttonwrapper"><input type="button" class="button secondary" value="$msgno" onclick="location='$urlno'; return false;"/></a></div>
+      <div class="buttons">
+        <span class="buttonwrapper"><a href="$urlyes" class="button">$msgyes</a></span>
+        <span class="buttonwrapper"><a href="$urlno" class="button secondary">$msgno</a></span>
+      </div>
 #xwikimessageboxend()
 #end

The fix removes the inline onclick JavaScript handler entirely, replacing the <input type="button"> element with a plain <a href="..."> anchor. This eliminates the JavaScript string context and relies solely on standard HTML attribute escaping for the URL. See the XWiki JIRA Issue XWIKI-23244 and the GitHub Security Advisory GHSA-7vpr-jm38-wr7w.

Detection Methods for CVE-2025-66472

Indicators of Compromise

  • HTTP requests to XWiki deletion endpoints containing xredirect or URL parameters with javascript:, ';, onerror=, or encoded <script> payloads.
  • Web server access logs showing referrer-driven navigation to /xwiki/bin/delete/ or confirmation templates from external domains.
  • Browser console errors or unexpected outbound requests originating from XWiki confirmation pages.

Detection Strategies

  • Deploy web application firewall (WAF) rules that inspect XWiki URL parameters for JavaScript breakout characters and reflected script content.
  • Instrument Content Security Policy (CSP) reporting to capture inline-script violations on /xwiki/ paths.
  • Review XWiki version banners and inventory installations against fixed versions 16.10.10 and 17.4.2.

Monitoring Recommendations

  • Alert on anomalous click-through patterns to deletion confirmation URLs originating from external referrers.
  • Monitor XWiki application logs for repeated deletion confirmation requests carrying suspicious query strings.
  • Correlate authenticated session activity with subsequent privilege-sensitive wiki changes following confirmation-page visits.

How to Mitigate CVE-2025-66472

Immediate Actions Required

  • Upgrade XWiki Platform to version 16.10.10 or 17.4.2 as published in GitHub Security Advisory GHSA-7vpr-jm38-wr7w.
  • Invalidate active user sessions after upgrading to remove any potentially hijacked cookies.
  • Audit administrative wiki accounts for unauthorized page modifications or permission changes.

Patch Information

The official fix is committed in GitHub Commit cb578b1. It rewrites the xwikimessagebox macro in both xwiki-platform-flamingo-skin-resources and xwiki-platform-web-templates to remove inline JavaScript event handlers. Fixed releases are XWiki 16.10.10 and 17.4.2.

Workarounds

  • If patching is delayed, deploy a strict Content Security Policy blocking inline event handlers on XWiki responses.
  • Restrict network access to the XWiki instance so deletion confirmation URLs cannot be reached by unauthenticated external users.
  • Apply the macro changes from the upstream commit manually to macros.vm in the Flamingo skin and Web templates.
bash
# Verify installed XWiki version and upgrade
curl -sI https://<xwiki-host>/xwiki/bin/view/Main/ | grep -i xwiki
# Upgrade via distribution wizard or package manager to 16.10.10 or 17.4.2
# Example (Debian package): sudo apt-get update && sudo apt-get install --only-upgrade xwiki-tomcat9-common

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.