Listen to this Post
This CVE involves XWiki failing to warn administrators when granting `XWiki.Notifications.Code.NotificationEmailRendererClass` admin rights. When a user without script rights creates a document containing this object, an admin editing and saving it unknowingly enables the use of custom email templates. While Velocity code execution is already guarded by existing analyzers, attackers can abuse this to send malicious notifications (e.g., phishing links) or suppress legitimate alerts. Versions before 15.9 lack warnings for dangerous properties entirely, making exploitation easier. The issue is patched in later versions by implementing property analysis for the affected XClass.
DailyCVE Form:
Platform: XWiki
Version: <15.10.16, 16.0.0-16.4.6, 16.5.0-16.10.1
Vulnerability: Missing security warning
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch expected by Jun 20, 2025
What Undercode Say:
Check XWiki version: xwiki-version.sh Verify patch: grep "NotificationEmailRendererClass" /xwiki/patches/ Log analysis: audit-logs --filter=CVE-2025-XXXXX
How Exploit:
- Attacker creates document with malicious email template.
- Admin edits/saves document unknowingly.
- Phishing/spam notifications sent.
Protection from this CVE:
- Upgrade to 15.10.16/16.4.7/16.10.2.
- Restrict admin edits on untrusted docs.
- Monitor notification logs.
Impact:
- Spam/phishing via notifications.
- Suppressed security alerts.
- No code execution.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
