CVE-2025-27603
Published: 07 March 2025
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2025-27603 is a high-severity arbitrary code execution vulnerability (CWE-95) in the XWiki Confluence Migrator Pro application, which assists administrators in importing Confluence packages into XWiki instances. The flaw arises from an unescaped translation when creating a page using the Migration Page template, allowing code injection. It affects versions prior to 1.2.0 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An authenticated user without programming rights can exploit this vulnerability over the network with low complexity and no user interaction required. By creating a page via the Migration Page template and injecting malicious content into the unescaped translation, the attacker achieves arbitrary code execution with high-impact confidentiality, integrity, and availability consequences across a changed scope.
The vulnerability is addressed in version 1.2.0 of XWiki Confluence Migrator Pro. Official advisories and the fixing commit are available on the project's GitHub repository at https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-6qvp-39mm-95v8 and https://github.com/xwikisas/application-confluence-migrator-pro/commit/36cef2271bd429773698ca3a21e47b6d51d6377d. Security practitioners should upgrade immediately and review access to the Migration Page template.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability provides arbitrary code execution via code injection in a web application template, directly enabling exploitation for privilege escalation (bypassing programming rights) and use of command/scripting interpreters for execution.