216.73.217.22

CVE-2025-32974

· Published 30/04/2025 15:16 · Modified 30/04/2025 16:15

Labels: CVE-2025-32974 2025-04-30CVE-2025-32974CWE-116[email protected]

Essential information

Published
30/04/2025 15:16
Modified
30/04/2025 16:15
Author
Creator
CVSS
9.0 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS metrics

Description

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
xwiki / xwiki cpe:2.3:a:xwiki:xwiki:15.9-rc-1:*-*-*-*-*-*
xwiki / xwiki cpe:2.3:a:xwiki:xwiki:<15.10.8:*:*:*:*:*:*:*
xwiki / xwiki cpe:2.3:a:xwiki:xwiki:16.0.0-rc-1:*-*-*-*-*-*
xwiki / xwiki cpe:2.3:a:xwiki:xwiki:<16.2.0:*:*:*:*:*:*:*

References