SCA: security update for org.xwiki.platform:xwiki-platform-rendering-macro-cache, org.xwiki.platform:xwiki-platform-rendering-macro-context, org.xwiki.platform:xwiki-platform-rendering-xwiki, org.xwiki.platform:xwiki-platform-security-requiredrights-default (GHSA-c32m-27pj-4xcj)

high Tenable Cloud Security Plugin ID 435922

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki is a generic wiki platform. When editing content that contains "dangerous" macros like malicious
script macros that were authored by a user with fewer rights, XWiki warns about the execution of these
macros since XWiki 15.9RC1. These required rights analyzers that trigger these warnings are incomplete,
allowing an attacker to hide malicious content. For most macros, the existing analyzers don't consider
non-lowercase parameters. Further, most macro parameters that can contain XWiki syntax like titles of
information boxes weren't analyzed at all. Similarly, the "source" parameters of the content and context
macro weren't anylzed even though they could contain arbitrary XWiki syntax. In the worst case, this could
allow a malicious to add malicious script macros including Groovy or Python macros to a page that are then
executed after another user with programming righs edits the page, thus allowing remote code execution.
The required rights analyzers have been made more robust and extended to cover those cases in XWiki
16.4.7, 16.10.3 and 17.0.0. (CVE-2025-49582)

See Also

https://github.com/advisories/GHSA-c32m-27pj-4xcj

Plugin Details

Severity: High

ID: 435922

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 11/4/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-49582

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/13/2025

Vulnerability Publication Date: 6/13/2025

Reference Information

CVE: CVE-2025-49582

cwe: CWE-357