CVE-2025-51991 (CNNVD-202508-2320)
中文标题:
XWiki Platform 安全漏洞
英文标题:
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administr...
漏洞描述
中文描述:
XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 17.3.0及之前版本存在安全漏洞,该漏洞源于服务器端模板注入,可能导致执行任意模板逻辑。
英文描述:
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| xwiki | xwiki | * | - | - |
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (adp)
HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-51991 |
2025-11-11 15:23:27 | 2025-11-11 07:40:39 |
| NVD | nvd_CVE-2025-51991 |
2025-11-11 15:01:00 | 2025-11-11 07:48:27 |
| CNNVD | cnnvd_CNNVD-202508-2320 |
2025-11-11 15:12:54 | 2025-11-11 08:00:06 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202508-2320
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 0 -> 1
- data_sources: ['cve'] -> ['cve', 'nvd']