CVE-2025-32974

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r
https://jira.xwiki.org/browse/XWIKI-22002
https://jira.xwiki.org/browse/XWIKI-22002

Configurations

No configuration.

History

30 Apr 2025, 16:15

Type	Values Removed	Values Added
References	~~() https://jira.xwiki.org/browse/XWIKI-22002 -~~	() https://jira.xwiki.org/browse/XWIKI-22002 -

30 Apr 2025, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-30 15:16

Updated : 2025-04-30 16:15

NVD link : CVE-2025-32974

Mitre link : CVE-2025-32974

CVE.ORG link : CVE-2025-32974

JSON object : View

Products Affected

No product.

CWE

CWE-116

Improper Encoding or Escaping of Output

CWE-269

Improper Privilege Management

9.0 /10