Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS13M3doLWc0bTktNzgzcM4ABKHn

Critical EPSS: 0.0059% (0.6823 Percentile) EPSS:
Permalink JSON

XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax

Affected Packages Affected Versions Fixed Versions
maven:org.xwiki.rendering:xwiki-rendering-syntax-xhtml >= 5.4.5, < 14.10 14.10
15 Dependent packages
111 Dependent repositories

Affected Version Ranges

All affected versions

5.4.5, 5.4.6, 5.4.7, 6.0.1, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.7, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 7.0.1, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.4.1, 7.4.2, 7.4.4, 7.4.5, 7.4.6, 8.2.1, 8.2.2, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.4.6, 9.1.1, 9.1.2, 9.3.1, 9.5.1, 9.8.1, 9.10.1, 9.11.1, 9.11.2, 9.11.3, 9.11.4, 9.11.5, 9.11.6, 9.11.7, 9.11.8, 9.11.9, 10.6.1, 10.7.1, 10.8.1, 10.8.2, 10.8.3, 10.11.1, 10.11.2, 10.11.3, 10.11.4, 10.11.5, 10.11.6, 10.11.7, 10.11.8, 10.11.9, 10.11.10, 10.11.11, 11.0.1, 11.0.2, 11.0.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.3.5, 11.3.6, 11.3.7, 11.6.1, 11.8.1, 11.10.1, 11.10.2, 11.10.3, 11.10.4, 11.10.5, 11.10.6, 11.10.7, 11.10.8, 11.10.10, 11.10.11, 11.10.12, 11.10.13, 12.2.1, 12.5.1, 12.6.1, 12.6.2, 12.6.3, 12.6.4, 12.6.5, 12.6.6, 12.6.7, 12.6.8, 12.7.1, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6, 12.10.7, 12.10.8, 12.10.9, 12.10.10, 12.10.11, 13.4.1, 13.4.2, 13.4.3, 13.4.4, 13.4.5, 13.4.6, 13.4.7, 13.10.1, 13.10.2, 13.10.3, 13.10.4, 13.10.5, 13.10.6, 13.10.7, 13.10.8, 13.10.9, 13.10.10, 13.10.11, 14.2.1, 14.3.1, 14.4.1, 14.4.2, 14.4.3, 14.4.4, 14.4.5, 14.4.6, 14.4.7, 14.4.8

All unaffected versions

3.2.1, 3.3.1, 3.5.1, 4.0.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.3.1, 4.4.1, 4.5.1, 4.5.2, 4.5.3, 5.0.1, 5.0.2, 5.0.3, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 14.10.1, 14.10.2, 14.10.3, 14.10.4, 14.10.5, 14.10.6, 14.10.7, 14.10.8, 14.10.9, 14.10.10, 14.10.11, 14.10.12, 14.10.13, 14.10.14, 14.10.15, 14.10.16, 14.10.17, 14.10.18, 14.10.19, 14.10.20, 14.10.21, 15.5.1, 15.5.2, 15.5.3, 15.5.4, 15.5.5, 15.10.1, 15.10.2, 15.10.3, 15.10.4, 15.10.5, 15.10.6, 15.10.7, 15.10.8, 15.10.9, 15.10.10, 15.10.11, 15.10.12, 15.10.13, 15.10.14, 15.10.15, 15.10.16, 16.0.0, 16.1.0, 16.2.0, 16.3.0, 16.3.1, 16.4.0, 16.4.1, 16.4.2, 16.4.3, 16.4.4, 16.4.5, 16.4.6, 16.4.7, 16.4.8, 16.5.0, 16.6.0, 16.7.0, 16.7.1, 16.8.0, 16.9.0, 16.10.0, 16.10.1, 16.10.2, 16.10.3, 16.10.4, 16.10.5, 16.10.6, 16.10.7, 16.10.8, 16.10.9, 17.0.0, 17.1.0, 17.2.0, 17.2.1, 17.2.2, 17.3.0, 17.4.0, 17.4.1, 17.4.2, 17.5.0, 17.6.0

Impact

The XHTML syntax depended on the xdom+xml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). The attack works by setting the document's syntax to xdom+xml/current and then inserting content like

<document><p><metadata><metadata><entry><string>syntax</string><org.xwiki.rendering.syntax.Syntax><type><name>XHTML</name><id>xhtml</id><variants class="empty-list"></variants></type><version>5</version></org.xwiki.rendering.syntax.Syntax></entry></metadata></metadata></p><rawtext syntax="html/5.0" content="&lt;script&gt;alert(1);&lt;/script&gt;"></rawtext></document>

This has been fixed by removing the dependency on the xdom+xml/current syntax from the XHTML syntax. Note that the xdom+xml syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. We're currently not aware of any further dependencies on it.

Patches

The fix of removing the dependency has been included in XWiki 14.10. It is not released for earlier versions due to the potential breakages, among others this change makes it necessary to update the Confluence XHTML syntax as it relies on internals that were changed for the fix. Similar XSS fixes were also not applied to the LTS version 13.10.x due to the potential breakages.

Workarounds

There are no known workarounds apart from upgrading.

References

For more information

If you have any questions or comments about this advisory:

References:

Identifiers

GHSA-w3wh-g4m9-783p

CVE-2025-53835

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.0059

EPSS Percentile: 0.6823

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/xwiki/xwiki-rendering

Date and time

Published

16 days ago

Updated

16 days ago

API

JSON