Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
XWikiplatform Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-53835 - Vulnerability Database
XWikiplatform

XWikiplatform Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2025-53835

Critical
Reference: CVE-2025-53835
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2025-53835
Title: XWikiplatform Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax HTML etc) into another syntax (XHTML etc). Starting in version 5.4.5 and prior to version 14.10 the XHTML syntax depended on the xdomxml/current syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the xdomxml/current syntax from the XHTML syntax. Note that the xdomxml syntax is still vulnerable to this attack. As it39s main purpose is testing and its use is quite difficult this syntax shouldn39t be installed or used on a regular wiki. There are no known workarounds apart from upgrading.