N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66472

CVE-2025-66472: XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

Impact

A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution.

Patches

This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context.

Workarounds

The patch can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66472

CVE-2025-66472:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-flamingo-skin-resources	maven	>= 6.2-milestone-1, < 16.10.10	16.10.10
org.xwiki.platform:xwiki-platform-flamingo-skin-resources	maven	>= 17.0.0-rc-1, < 17.4.2	17.4.2
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 6.2-milestone-1, < 16.10.10	16.10.10
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 17.0.0-rc-1, < 17.4.2	17.4.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue within the XWiki platform. The root cause lies in the improper handling of the xredirect URL parameter when generating a deletion confirmation dialog. The commit cb578b1b2910d06e9dd7581077072d1cfbd280f2 reveals that the vulnerability exists in a Velocity template macro named xwikimessagebox, which is defined in two separate files for different skins/themes.

The vulnerable code constructed a button with an onclick javascript event handler. The value of the $urlno parameter, derived from the user-controllable xredirect parameter, was directly embedded within single quotes inside the onclick attribute. This allowed an attacker to break out of the string and inject arbitrary Javascript. For example, a crafted xredirect parameter like ';alert('XSS');// would result in the execution of the script when the "No" button on the confirmation page was clicked.

The patch remediates this by removing the input button and the associated onclick event handler entirely. It replaces them with standard <a> tags, where the $urlno is used in the href attribute. This change prevents the direct execution of Javascript from the onclick attribute, mitigating the XSS vulnerability.

The identified vulnerable "function" is the xwikimessagebox macro, as it's the specific piece of code responsible for the insecure construction of the UI component. While not a traditional compiled function, it is the runtime component that processes the malicious input and creates the vulnerable output.

Vulnerable functions

xwikimessagebox

xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/macros.vm

The `xwikimessagebox` macro in this Velocity template was vulnerable to reflected XSS. The `$urlno` parameter, controllable by an attacker via the `xredirect` URL parameter, was used to construct a javascript `onclick` event handler. The lack of proper escaping allowed an attacker to inject arbitrary javascript which would be executed when a user clicked the 'No' button in the confirmation dialog.

xwikimessagebox

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/macros.vm

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66472: XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

Impact

Patches

Workarounds

CVE-2025-66472:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-66472: XWiki vulnerable to a reflected XSS via xredirect parameter in DeleteApplication

Impact

Patches

Workarounds

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI