XWiki Contrib's Syntax Markdown allows importing Markdown content into wiki pages and creating wiki content in Markdown. In versions starting from 8.2 to before 8.9, the Markdown syntax is vulnerable to cross-site scripting (XSS) through HTML. In particular, using Markdown syntax, it's possible for any user to embed Javascript code that will then be executed on the browser of any other user visiting either the document or the comment that contains it. In the instance that this code is executed by a user with admins or programming rights, this issue compromises the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in version 8.9.
References
| Link | Resource |
|---|---|
| https://github.com/xwiki-contrib/syntax-markdown/commit/d136472d6e8a47981a0ede420a9096f88ffa5035 | Patch |
| https://github.com/xwiki-contrib/syntax-markdown/security/advisories/GHSA-8g2j-rhfh-hq3r | Patch Third Party Advisory |
| https://jira.xwiki.org/browse/MARKDOWN-80 | Exploit Issue Tracking |
Configurations
History
26 Aug 2025, 16:28
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Xwiki xwiki
Xwiki |
|
| CPE | cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | |
| References | () https://github.com/xwiki-contrib/syntax-markdown/commit/d136472d6e8a47981a0ede420a9096f88ffa5035 - Patch | |
| References | () https://github.com/xwiki-contrib/syntax-markdown/security/advisories/GHSA-8g2j-rhfh-hq3r - Patch, Third Party Advisory | |
| References | () https://jira.xwiki.org/browse/MARKDOWN-80 - Exploit, Issue Tracking |
02 May 2025, 13:53
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-04-30 19:15
Updated : 2025-08-26 16:28
NVD link : CVE-2025-46558
Mitre link : CVE-2025-46558
CVE.ORG link : CVE-2025-46558
JSON object : View
Products Affected
xwiki
- xwiki
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')