CVE-2025-32974
Last modified
CVE-2025-32974 is a critical-severity vulnerability rated 9/10 on the CVSS scale. XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. EPSS estimates a 0.29% chance of exploitation in the next 30 days.
Description
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 15.9, < 15.10.8 |
| Xwiki | Xwiki | >= 16.0.0, < 16.2.0 |
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4rPatch, Vendor Advisory
- https://jira.xwiki.org/browse/XWIKI-22002Issue Tracking, Vendor Advisory
- https://jira.xwiki.org/browse/XWIKI-22002Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-32974?
How severe is CVE-2025-32974?
How do I fix CVE-2025-32974?
Are you affected by CVE-2025-32974?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST