Description

XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised.

INFO

Published Date :

2025-08-20T00:00:00.000Z

Last Modified :

2025-08-20T15:53:53.689Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-51990 vulnerability.

Vendors Products
Xwiki
  • Xwiki
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-51990.

URL Resource
https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact