CVE-2025-27603
com.xwiki.confluencepro:application-confluence-migrator-pro-ui Remote Code Execution via unescaped translations
Description
### Impact A user that doesn't have programming rights can execute arbitrary code when creating a page using the Migration Page template. A possible attack vector is the following: * Create a page and add the following content: ``` confluencepro.job.question.advanced.input={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}} ``` * Use the object editor to add an object of type `XWiki.TranslationDocumentClass` with scope `USER`. * Access an unexisting page using the `MigrationTemplate` ``` http://localhost:8080/xwiki/bin/edit/Page123?template=ConfluenceMigratorPro.Code.MigrationTemplate ``` It is expected that `{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}` will be present on the page, however, `hello from groovy` will be printed. ### Patches The issue will be fixed as part of v1.2. The fix was added with commit [35cef22](https://github.com/xwikisas/application-confluence-migrator-pro/commit/36cef2271bd429773698ca3a21e47b6d51d6377d) ### Workarounds There are no known workarounds besides upgrading. ### References No references.
How to fix CVE-2025-27603
To remediate CVE-2025-27603, upgrade the affected package to a fixed version below.
- —upgrade to 1.2.0 or later
Is CVE-2025-27603 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.0, < 1.2.0