Vulnerability in XWiki Platform Exposes Sensitive Data Execution Risk
CVE-2025-32974

9CRITICAL

Key Information:

Vendor

Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
30 April 2025

What is CVE-2025-32974?

A vulnerability exists in the XWiki Platform where the rights analysis mechanism fails to appropriately evaluate TextAreas with default content types. This oversight allows users with certain permissions to inject malicious scripts within a page. Such scripts can be executed by users with specific administrative rights, jeopardizing the confidentiality, integrity, and availability of the entire XWiki instance. This issue affects versions 15.9-rc-1 to 15.10.7 and 16.0.0-rc-1 to 16.1.9, and has been addressed in the subsequent releases.

Affected Version(s)

xwiki-platform >= 15.9-rc-1, < 15.10.8 < 15.9-rc-1, 15.10.8

xwiki-platform >= 16.0.0-rc-1, < 16.2.0 < 16.0.0-rc-1, 16.2.0

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-22002
x_refsource_MISC

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.