SCA: security update for org.xwiki.rendering:xwiki-rendering-syntax-xhtml (GHSA-w3wh-g4m9-783p)

critical Tenable Self-Hosted Container Security Plugin ID 428378

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax,
HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the
XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit
the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can
edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by
removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml`
syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult,
this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from
upgrading. (CVE-2025-53835)

See Also

https://github.com/advisories/GHSA-w3wh-g4m9-783p

Plugin Details

Severity: Critical

ID: 428378

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 7/15/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-53835

CVSS v3

Risk Factor: Critical

Base Score: 9

Temporal Score: 7.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/14/2025

Vulnerability Publication Date: 7/14/2025

Reference Information

CVE: CVE-2025-53835