Plattform
java
Komponente
org.xwiki.contrib.markdown:syntax-markdown-commonmark12
Behoben in
8.2.1
8.9
CVE-2025-46558 represents a critical Cross-Site Scripting (XSS) vulnerability within the XWiki Markdown Syntax 1.2 component. This flaw allows attackers to inject malicious JavaScript code through Markdown syntax, leading to potential compromise of user data and system integrity. The vulnerability impacts XWiki installations using versions prior to 8.9, and a fix is available in version 8.9.
The impact of this XSS vulnerability is severe. An attacker can embed arbitrary JavaScript code within Markdown content, which will be executed in the context of any user who views the document or comment containing the malicious code. This allows for a wide range of attacks, including session hijacking, defacement of the XWiki instance, and theft of sensitive data. If the attacker is able to execute code with administrator or programming privileges, the entire XWiki installation is at risk, potentially leading to complete compromise of the system and its data. The ability to inject code via Markdown, a commonly used format, significantly increases the attack surface and potential for exploitation.
CVE-2025-46558 was publicly disclosed on 2025-04-30. The vulnerability's criticality (CVSS score of 9) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been publicly released as of this writing, the ease of exploiting XSS vulnerabilities generally suggests that a PoC is likely to emerge. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Organizations using XWiki with the CommonMark Markdown Syntax 1.2 extension installed are at risk. This includes those relying on XWiki for collaborative documentation, knowledge management, or content creation. Specifically, XWiki instances with limited input validation or those lacking robust WAF protection are particularly vulnerable.
• java / server: Monitor XWiki application logs for unusual JavaScript execution patterns or errors related to Markdown parsing. Use Java profilers to identify suspicious code execution within the org.xwiki.contrib.markdown package.
• generic web: Use curl/wget to test for the presence of the vulnerable Markdown syntax extension. Check response headers for unexpected JavaScript code.
• wordpress / composer / npm: N/A - This vulnerability is specific to the XWiki platform.
• database (mysql, redis, mongodb, postgresql): N/A - This vulnerability does not directly impact databases.
disclosure
Exploit-Status
EPSS
3.03% (87% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-46558 is to upgrade XWiki to version 8.9 or later, which includes the necessary fix. If upgrading immediately is not possible, consider implementing temporary workarounds. These may include restricting user permissions to prevent users without scripting rights from creating or editing Markdown content. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting Markdown syntax could also provide a layer of defense. Carefully review and sanitize all user-generated Markdown content before rendering it. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload within a Markdown document and verifying that it does not execute.
Aktualisieren Sie das Syntax Markdown-Plugin auf Version 8.9 oder höher. Diese Version enthält eine Korrektur für die XSS-Schwachstelle. Das Update kann über die XWiki-Adminoberfläche durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-46558 is a critical XSS vulnerability in XWiki's Markdown Syntax 1.2 component, allowing attackers to inject JavaScript code via Markdown, potentially compromising user sessions and the entire XWiki installation.
You are affected if you are using XWiki with the CommonMark Markdown Syntax 1.2 extension installed and have not upgraded to version 8.9 or later.
Upgrade XWiki to version 8.9 or later. As a temporary workaround, consider disabling the extension or implementing strict input validation and WAF rules.
While no widespread exploitation has been confirmed, the vulnerability's ease of exploitation suggests a potential for active campaigns. Continuous monitoring is recommended.
Refer to the official XWiki security advisory for detailed information and updates: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.