Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@17.1.0-rc-1
Typemaven
Namespaceorg.xwiki.platform
Namexwiki-platform-security-authorization-bridge
Version17.1.0-rc-1
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-tpg6-usu2-3bgy
vulnerability_id VCID-tpg6-usu2-3bgy
summary XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right could have a high impact. This vulnerability has been patched in XWiki 16.10.4 and 17.1.0RC1. No known workarounds are available except for upgrading.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-48063
reference_id
reference_type
scores
0
value 0.04877
scoring_system epss
scoring_elements 0.89834
published_at 2026-06-12T12:55:00Z
1
value 0.04877
scoring_system epss
scoring_elements 0.8984
published_at 2026-06-13T12:55:00Z
2
value 0.04877
scoring_system epss
scoring_elements 0.898
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-48063
1
reference_url https://github.com/xwiki/xwiki-platform
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/xwiki/xwiki-platform
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-48063
reference_id
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-48063
3
reference_url https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898
reference_id 2557813aef3b863988d6cca58de996e207086898
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-21T18:20:23Z/
url https://github.com/xwiki/xwiki-platform/commit/2557813aef3b863988d6cca58de996e207086898
4
reference_url https://github.com/advisories/GHSA-rhfv-688c-p6hp
reference_id GHSA-rhfv-688c-p6hp
reference_type
scores
url https://github.com/advisories/GHSA-rhfv-688c-p6hp
5
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp
reference_id GHSA-rhfv-688c-p6hp
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-21T18:20:23Z/
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rhfv-688c-p6hp
6
reference_url https://jira.xwiki.org/browse/XWIKI-22859
reference_id XWIKI-22859
reference_type
scores
0
value 4.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-21T18:20:23Z/
url https://jira.xwiki.org/browse/XWIKI-22859
fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@16.10.4
purl pkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@16.10.4
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@16.10.4
1
url pkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@17.1.0-rc-1
purl pkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@17.1.0-rc-1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@17.1.0-rc-1
aliases CVE-2025-48063, GHSA-rhfv-688c-p6hp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tpg6-usu2-3bgy
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authorization-bridge@17.1.0-rc-1