Insecure Access Control in XWiki Allows Unauthorized Programming Rights
CVE-2025-32973

9.1CRITICAL

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
30 April 2025

Summary

An issue within XWiki's platform allows users with programming rights to inadvertently grant these rights to unauthorized objects. When a user edits content that has been modified by a non-authorized user and contains an XWiki.ComponentClass, there is no notification prompting the user about the potential risks. This vulnerability enables an attacker who has edit access on a page to craft a malicious object, which could then grant programming rights to any object if an admin user subsequently edits that document. The problem has been addressed in the latest security patches.

Affected Version(s)

xwiki-platform >= 15.9-rc-1, < 15.10.12 < 15.9-rc-1, 15.10.12

xwiki-platform >= 16.0.0-rc-1, < 16.4.3 < 16.0.0-rc-1, 16.4.3

xwiki-platform >= 16.5.0-rc-1, < 16.8.0-rc-1 < 16.5.0-rc-1, 16.8.0-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/1a6f1b2e05...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-22460
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.