XWiki, Cross-Site Scripting (XSS), CVE-2025-XXXX (Critical)

This vulnerability affects the `org.xwiki.contrib.markdown:syntax-markdown-commonmark12` package, allowing attackers to inject malicious JavaScript via Markdown content. The issue arises due to improper sanitization of HTML tags in Markdown-parsed content. When a user submits a Markdown-formatted document or comment containing embedded JavaScript (e.g., <script>alert("XSS")</script>), the script executes in the browser of any user viewing the content.
The impact is severe when an admin or privileged user views the malicious content, as it can lead to full compromise of the XWiki instance. The vulnerability exists in versions `>= 8.2, < 8.9` and is fixed in version 8.9.

DailyCVE Form:

Platform: XWiki
Version: 8.2 – 8.8
Vulnerability: XSS via Markdown
Severity: Critical
Date: Apr 30, 2025

What Undercode Say:

Exploitation:

1. Payload Injection:

<script>alert(document.cookie)</script>

2. Stored XSS Attack:

• Save payload in a Markdown document.
• Trigger execution when viewed.

Detection:

1. Check Installed Version:

xwiki-version | grep "markdown-commonmark12"

2. Manual Test:

• Edit a document in Markdown syntax.
• Insert <script>alert(1)</script>.

Mitigation:

1. Patch Upgrade:

xwiki-package update syntax-markdown-commonmark12 --version 8.9

2. Content Security Policy (CSP):

Content-Security-Policy: script-src 'self'

3. Input Sanitization:

String sanitized = HtmlSanitizer.sanitize(markdownContent);

References:

• XWiki Patch 8.9
• NVD Entry

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram