Listen to this Post
How the CVE Works
The vulnerability arises when an attacker with edit rights on an App Within Minutes (AWM) application modifies an XClass and triggers a preview. Due to insufficient input validation, malicious code embedded in the XClass can be executed on the server. This grants the attacker programming rights, leading to remote code execution (RCE). The flaw exists in XWiki’s handling of XClass previews, allowing arbitrary script injection through crafted payloads.
DailyCVE Form:
Platform: XWiki
Version: 7.2-milestone-2 to 16.4.6, 16.5.0-rc-1 to 16.10.2, 17.0.0-rc-1
Vulnerability: Remote Code Execution
Severity: Critical
Date: Jun 13, 2025
Prediction: Patch expected by Jun 20, 2025
What Undercode Say
Check XWiki version
curl -I http://target/xwiki/bin/Main/WebHome
Exploit PoC (simulated)
POST /xwiki/bin/preview/AWM/XClass HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
Payload: malicious_script=system("id")
How Exploit
1. Attacker logs in with edit rights.
2. Modifies XClass in AWM app.
3. Injects malicious script in preview request.
4. Server executes script due to flawed validation.
Protection from this CVE
1. Upgrade to XWiki 16.4.7, 16.10.3, or 17.0.0.
2. Restrict AWM edit rights to trusted users.
3. Disable preview functionality if unused.
Impact
- Full server compromise via RCE.
- Unauthorized data access/modification.
- Privilege escalation to admin rights.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
