XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 26 Aug 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Xwiki xwiki
CPEs cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Vendors & Products Xwiki xwiki

Tue, 15 Jul 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 15 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00579}


Mon, 14 Jul 2025 23:15:00 +0000

Type Values Removed Values Added
Description XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.
Title XWiki Rendering is vulnerable to XSS attacks through insecure XHTML syntax
Weaknesses CWE-79
CWE-80
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-07-15T19:49:26.336Z

Reserved: 2025-07-09T14:14:52.532Z

Link: CVE-2025-53835

cve-icon Vulnrichment

Updated: 2025-07-15T13:25:19.905Z

cve-icon NVD

Status : Analyzed

Published: 2025-07-14T23:15:25.090

Modified: 2025-08-26T17:52:40.370

Link: CVE-2025-53835

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-07-16T21:35:33Z