SCA: security update for org.xwiki.platform:xwiki-platform-security-requiredrights-default (GHSA-59w6-r9hm-439h)

high Tenable Cloud Security Plugin ID 436967

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki is a generic wiki platform. In versions before 15.10.16, 16.0.0-rc-1 through 16.4.6, and 16.5.0-rc-1
through 16.10.1, when an attacker without script or programming right creates an XClass definition in
XWiki (requires edit right), and that same document is later edited by a user with script, admin, or
programming right, malicious code could be executed with the rights of the editing user without prior
warning. In particular, this concerns custom display code, the script of computed properties and queries
in database list properties. Note that warnings before editing documents with dangerous properties have
only been introduced in XWiki 15.9, before that version, this was a known issue and the advice was simply
to be careful. This has been patched in XWiki 16.10.2, 16.4.7 and 15.10.16 by adding an analysis for the
respective XClass properties. (CVE-2025-49585)

See Also

https://github.com/advisories/GHSA-59w6-r9hm-439h

Plugin Details

Severity: High

ID: 436967

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 1/26/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-49585

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/13/2025

Vulnerability Publication Date: 6/13/2025

Reference Information

CVE: CVE-2025-49585

cwe: CWE-357