CVE-2025-49590

Low CVSS: 2.9

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting (XSS), however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which a maliciously crafted URI can follow. This issue has been patched in version 2025.3.0.

Vendor

Xwiki

Product

Cryptpad

CWE

CWE-692

Yayın Tarihi

2025-06-18 23:15:19

Güncelleme

2025-08-11 18:18:19

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-692 Cryptpad LOW Xwiki 2025

Referanslar

https://github.com/cryptpad/cryptpad/blob/15c81aa8ccb737a9a1167481f4a699af331364bb/www/bounce/main.js#L64-L95 https://github.com/cryptpad/cryptpad/commit/d5e4830ba104a4a442cb23aab5378b8565a95607 https://github.com/cryptpad/cryptpad/security/advisories/GHSA-vq9h-x3gr-v8rj

Benzer Kayıtlar

Medium

CVE-2026-26000

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0…

Medium

CVE-2026-24128

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-mi…

Medium

CVE-2025-65090

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights…

Critical

CVE-2025-65091

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right t…

High

CVE-2025-66474

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) int…

Medium

CVE-2025-66472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-mi…