CVE-2025-66472
📋 TL;DR
This CVE describes a reflected cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious scripts into deletion confirmation messages. When victims click the 'No' button on these messages, the attacker's script executes in their browser context. This affects users of XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates across multiple versions.
💻 Affected Systems
- XWiki Platform Flamingo Skin Resources
- XWiki Platform Web Templates
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as the victim user, redirect to malicious sites, or install malware through the victim's browser.
Likely Case
Session hijacking, credential theft, or unauthorized actions performed in the victim's context.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced.
🎯 Exploit Status
Exploitation requires user interaction (clicking 'No' button) but no authentication. Attack vector is reflected XSS through crafted URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.10.10 and 17.4.2
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vpr-jm38-wr7w
Restart Required: Yes
Instructions:
1. Identify your XWiki version. 2. Upgrade to 16.10.10 if on 16.x series. 3. Upgrade to 17.4.2 if on 17.x series. 4. Restart XWiki application server. 5. Verify fix by checking version.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to restrict script execution from untrusted sources.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration
Input Validation Filter
allImplement web application firewall or input validation to sanitize user input in deletion confirmation parameters.
Configure WAF rules to filter script tags and JavaScript in URL parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy headers
- Disable or restrict access to deletion functionality for untrusted users
🔍 How to Verify
Check if Vulnerable:
Check XWiki version against affected ranges. Test by attempting to inject script in deletion confirmation parameter and observing if it executes.Check Version:
Check XWiki administration panel or view page source for version information.Verify Fix Applied:
After patching, attempt same XSS test and confirm script does not execute. Check version matches patched releases.📡 Detection & Monitoring
Log Indicators:
- Unusual URL parameters containing script tags or JavaScript in deletion-related requests
- Multiple failed deletion attempts from same IP
Network Indicators:
- HTTP requests with suspicious parameters in deletion confirmation URLs
- Outbound connections to unknown domains after deletion actions
SIEM Query:
web.url:*delete* AND (web.url:*script* OR web.url:*javascript* OR web.url:*onclick*)