CVE-2025-32974

April 30, 2025, 4:15 p.m.

9.0
Critical

Description

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

Product(s) Impacted

Vendor Product Versions
Xwiki
  • Xwiki
  • 15.9-rc-1, <15.10.8, 16.0.0-rc-1, <16.2.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-116
Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a xwiki xwiki 15.9-rc-1 *-*-*-*-*-*
a xwiki xwiki <15.10.8 / / / / / / /
a xwiki xwiki 16.0.0-rc-1 *-*-*-*-*-*
a xwiki xwiki <16.2.0 / / / / / / /

References

https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r
https://jira.xwiki.org/browse/XWIKI-22002
https://jira.xwiki.org/browse/XWIKI-22002

Tags

security-advisories@github.com
CWE-116
2025-04-30
CVE-2025-32974

CVSS Score

9.0 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: April 30, 2025, 3:16 p.m.
Last Modified: April 30, 2025, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.