CVE-2025-32974

EPSS 0.29%
Veröffentlicht 30.04.2025 14:55:01
Zuletzt bearbeitet 13.05.2025 14:55:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 15.9 < 15.10.8

Xwiki ≫ Xwiki Version >= 16.0.0 < 16.2.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.29%	0.201

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9	2.3	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
security-advisories@github.com	9	2.3	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r

Patch

Vendor Advisory

https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc

Patch

https://jira.xwiki.org/browse/XWIKI-22002

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-32974

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32974

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32974

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-32974