Listen to this Post
XWiki fails to enforce proper rights warnings for `NotificationDisplayer` objects, leading to a stored XSS vulnerability. When a low-privileged user creates a document containing a malicious `XWiki.Notifications.Code.NotificationDisplayerClass` object, an admin editing and saving it later triggers raw HTML rendering without sufficient warnings. The injected payload executes in the admin’s context, bypassing Velocity script restrictions. Although XWiki 15.9+ introduced warnings for dangerous properties, earlier versions lack this safeguard. The flaw stems from missing required-rights validation during admin edits, allowing untrusted content to persist.
DailyCVE Form:
Platform: XWiki
Version: 15.9-rc-1 to 16.10.1
Vulnerability: Stored XSS
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch by Jul 2025
What Undercode Say:
<!-- Example vulnerable object --> <object class="XWiki.Notifications.Code.NotificationDisplayerClass"> <property name="content"><script>malicious()</script></property> </object>
checkScriptRights() Missing in affected versions
How Exploit:
1. Low-privileged user creates document with malicious `NotificationDisplayer`.
2. Admin edits/saves document.
3. Payload renders as raw HTML.
Protection from this CVE:
- Upgrade to XWiki 15.10.16/16.4.7/16.10.2.
- Audit documents for
NotificationDisplayerClass. - Restrict script/admin rights.
Impact:
- Admin session hijacking via XSS.
- Data theft/privilege escalation.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
