CVE-2025-51991

XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md	Third Party Advisory Exploit
https://xwiki.org	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-20 15:15

Updated : 2025-09-11 13:50

NVD link : CVE-2025-51991

Mitre link : CVE-2025-51991

CVE.ORG link : CVE-2025-51991

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-51991", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-08-20T15:15:33.327", "references": [{"url": "https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md", "tags": ["Third Party Advisory", "Exploit"], "source": "[email protected]"}, {"url": "https://xwiki.org", "tags": ["Product"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields."}, {"lang": "es", "value": "XWiki, hasta la versi\u00f3n 17.3.0, es vulnerable a Server-Side Template Injection (SSTI) en la interfaz de Administraci\u00f3n, espec\u00edficamente en el campo HTTP Meta Info de la secci\u00f3n Presentaci\u00f3n de Preferencias Globales. Un administrador autenticado puede inyectar c\u00f3digo de plantilla Apache Velocity manipulado, el cual se procesa en el servidor sin la validaci\u00f3n ni el entorno de pruebas adecuados. Esto permite la ejecuci\u00f3n de l\u00f3gica de plantilla arbitraria, lo que puede exponer informaci\u00f3n interna del servidor o, en ciertas configuraciones, provocar una explotaci\u00f3n posterior, como la ejecuci\u00f3n remota de c\u00f3digo o la filtraci\u00f3n de datos confidenciales. La vulnerabilidad reside en el manejo inadecuado de la renderizaci\u00f3n din\u00e1mica de plantillas dentro de los campos de configuraci\u00f3n proporcionados por el usuario."}], "lastModified": "2025-09-11T13:50:55.417", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "299B1520-4DFC-4D21-A589-ECE23F2AAF60", "versionEndIncluding": "17.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}