Vulnerabilites related to xwikisas - application-confluence-migrator-pro
CVE-2025-27604 (GCVE-0-2025-27604)
Vulnerability from cvelistv5
Published
2025-03-07 16:11
Modified
2025-03-07 17:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. The homepage of the application is public which enables a guest to download the package which might contain sensitive information. This vulnerability is fixed in 1.11.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwikisas | application-confluence-migrator-pro |
Version: < 1.11.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27604",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T17:56:34.123291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T17:56:42.640Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "application-confluence-migrator-pro",
"vendor": "xwikisas",
"versions": [
{
"status": "affected",
"version": "\u003c 1.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. The homepage of the application is public which enables a guest to download the package which might contain sensitive information. This vulnerability is fixed in 1.11.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T16:11:32.475Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-3w9f-2pph-j5vc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-3w9f-2pph-j5vc"
},
{
"name": "https://github.com/xwikisas/application-confluence-migrator-pro/commit/6ced42b1f341fd0ce6734fc58c7d694da5f365fb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwikisas/application-confluence-migrator-pro/commit/6ced42b1f341fd0ce6734fc58c7d694da5f365fb"
}
],
"source": {
"advisory": "GHSA-3w9f-2pph-j5vc",
"discovery": "UNKNOWN"
},
"title": "XWiki Confluence Migrator Pro\u0027s homepage is public"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27604",
"datePublished": "2025-03-07T16:11:32.475Z",
"dateReserved": "2025-03-03T15:10:34.078Z",
"dateUpdated": "2025-03-07T17:56:42.640Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27603 (GCVE-0-2025-27603)
Vulnerability from cvelistv5
Published
2025-03-07 16:06
Modified
2025-03-07 17:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Summary
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability is fixed in 1.2.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwikisas | application-confluence-migrator-pro |
Version: > 1.0, < 1.2.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27603",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-07T17:57:15.302395Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T17:57:36.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-6qvp-39mm-95v8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "application-confluence-migrator-pro",
"vendor": "xwikisas",
"versions": [
{
"status": "affected",
"version": "\u003e 1.0, \u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn\u0027t have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability is fixed in 1.2.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-07T16:06:39.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-6qvp-39mm-95v8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-6qvp-39mm-95v8"
},
{
"name": "https://github.com/xwikisas/application-confluence-migrator-pro/commit/36cef2271bd429773698ca3a21e47b6d51d6377d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwikisas/application-confluence-migrator-pro/commit/36cef2271bd429773698ca3a21e47b6d51d6377d"
}
],
"source": {
"advisory": "GHSA-6qvp-39mm-95v8",
"discovery": "UNKNOWN"
},
"title": "XWiki Confluence Migrator Pro allows Remote Code Execution via unescaped translations"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-27603",
"datePublished": "2025-03-07T16:06:39.963Z",
"dateReserved": "2025-03-03T15:10:34.078Z",
"dateUpdated": "2025-03-07T17:57:36.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}