SCA: security update for org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui (GHSA-rmm7-r7wr-xpfg)

high Tenable Self-Hosted Container Security Plugin ID 418815

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.
NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the
versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting
with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that
where already there or that may join later, have **script** or **programming** access rights. This user
can then insert **script rendering macros** that are executed for those users in the realtime session that
have script or programming rights. The inserted scripts can be used to gain more access rights. This
vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade.
Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-
realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime
WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui). (CVE-2025-23025)

See Also

https://github.com/advisories/GHSA-rmm7-r7wr-xpfg

Plugin Details

Severity: High

ID: 418815

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-23025

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/14/2025

Vulnerability Publication Date: 1/14/2025

Reference Information

CVE: CVE-2025-23025

cwe: CWE-862