CVE-2025-32969

Exploit

EPSS 34.01%
Veröffentlicht 23.04.2025 15:33:03
Zuletzt bearbeitet 30.04.2025 15:50:37
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 1.8 < 15.10.16

Xwiki ≫ Xwiki Version >= 16.0.0 < 16.4.6

Xwiki ≫ Xwiki Version >= 16.5.0 < 16.10.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	34.01%	0.968

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f69v-xrj8-rhxf

Vendor Advisory

Exploit

https://github.com/xwiki/xwiki-platform/commit/5c11a874bd24a581f534d283186e209bbccd8113

Patch

https://jira.xwiki.org/browse/XWIKI-22691

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-32969

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32969

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32969

EUVD