Description

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading.

Remediation

References

CVE-2025-53835

Related Vulnerabilities

phpMyAdmin Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2016-2038)

WordPress Plugin EWWW Image Optimizer Remote Code Execution (2.8.3)

Oracle Database Server CVE-2010-0902 Vulnerability (CVE-2010-0902)

WordPress Plugin WP RSS Multi Importer Multiple Cross-Site Request Forgery Vulnerabilities (3.11)

WordPress Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Vulnerability (CVE-2016-10033)

Severity

Critical

Classification

CVE-2025-53835 CWE-707 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities