Miggo Logo
Miggo Vulnerability Database
CVE-2025-58365

CVE-2025-58365: XWiki Blog Application: Privilege Escalation (PR) from account through blog content

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-58365
GHSA ID
GHSA-gwj6-xpfg-pxwr
EPSS Score
-
CWE
CWE-94
Published
9/8/2025
Updated
9/8/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.contrib.blog:application-blog-uimaven< 9.149.14

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a privilege escalation in the XWiki Blog Application, where any user with edit rights could execute code with the privileges of another user viewing the content. The root cause was the improper rendering of user-provided content, specifically the 'content' and 'extract' fields of a blog post.

The analysis of the security patch (commit b98ab6f17da3029576f42d12b4442cd555c7e0b4) reveals that the application used unsafe methods to render content in several places.

  1. Direct Unsafe Rendering: In Velocity templates like BlogCode.xml and BlogPostLayoutImage.xml, the application was calling $doc.getRenderedContent(...) on the raw content of a blog post. This method, com.xpn.xwiki.api.Document.getRenderedContent, rendered the content with the permissions of the current user viewing the page, not the author of the post. This allowed an attacker to inject a script macro into a post, which would then be executed with the rights of whoever viewed it, including administrators.

  2. Unsafe Script Service: In the RSS feed generation (RssCode.xml), the application used a script service method, org.xwiki.contrib.blog.script.BlogScriptService.renderRSSDescription. This function also took raw content and rendered it, leading to the same privilege escalation issue for users consuming the RSS feed.

The patch addresses these issues by:

  • Replacing all calls to $doc.getRenderedContent with a new, safer script service method: $services.blog.renderContentHTML.
  • The new renderContentHTML function internally uses document.display(...), which is the standard, secure way to render content in XWiki as it correctly uses the author's context for execution.
  • Deprecating the vulnerable renderRSSDescription function.
  • In CategorySheet.xml, replacing a call to getRenderedContent with {{include reference="" author="target"/}}, which ensures the content is rendered with the author's rights.

Therefore, the key functions that would appear in a runtime profile during exploitation are com.xpn.xwiki.api.Document.getRenderedContent (due to its use in the templates) and org.xwiki.contrib.blog.script.BlogScriptService.renderRSSDescription.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *lo* *ppli**tion in XWiki *llow** r*mot* *o** *x**ution *or *ny us*r w*o **s **it ri**t on *ny p***. Norm*lly, t**s* *r* *ll lo****-in us*rs *s t**y **n **it t**ir own us*r pro*il*. To *xploit, it is su**i*i*nt to *** *n o*j**t o* typ*

Reasoning

T** vuln*r**ility is * privil*** *s**l*tion in t** XWiki *lo* *ppli**tion, w**r* *ny us*r wit* **it ri**ts *oul* *x**ut* *o** wit* t** privil***s o* *not**r us*r vi*win* t** *ont*nt. T** root **us* w*s t** improp*r r*n**rin* o* us*r-provi*** *ont*nt,