CVE-2025-51990

Name of the Vulnerable Software and Affected Versions: XWiki versions through 17.3.0

Description: XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages, leading to persistent execution of injected scripts in the browser context of any visitor, including both authenticated and unauthenticated users. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions, or further compromise of the application through client-side attacks.

Recommendations: XWiki version 17.4.0 and later should be used. As a temporary workaround, restrict access to the Administration interface to minimize the risk of exploitation. Avoid using JavaScript payloads in the HTTP Meta Info, Footer Copyright, and Footer Version fields.