Search criteria
720 vulnerabilities found for xwiki by xwiki
FKIE_CVE-2025-55748
Vulnerability from fkie_nvd - Published: 2025-09-03 21:15 - Updated: 2025-09-10 17:24
Severity ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF2E919E-3BBD-4FB5-95E3-E448DC559788",
"versionEndExcluding": "16.10.7",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D1B3E17E-EB52-4E36-9D50-4045914A05F9",
"versionEndIncluding": "17.3.0",
"versionStartIncluding": "17.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:4.2:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "CFC3527D-024A-47A6-9684-C37B9CF3AC76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:4.2:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "BC907C33-432E-4153-B1A2-9B8BF9167E1B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It\u0027s possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg\u0026minify=false`. This is fixed in version 16.10.7."
}
],
"id": "CVE-2025-55748",
"lastModified": "2025-09-10T17:24:13.273",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-03T21:15:32.460",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23109"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-55747
Vulnerability from fkie_nvd - Published: 2025-09-03 21:15 - Updated: 2025-09-10 17:47
Severity ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "04632A68-D193-4C05-807F-E842C48E3378",
"versionEndExcluding": "16.10.7",
"versionStartIncluding": "6.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D1B3E17E-EB52-4E36-9D50-4045914A05F9",
"versionEndIncluding": "17.3.0",
"versionStartIncluding": "17.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:6.1:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "52DBE10F-1F55-46AD-9D47-5C05FAB85777",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:6.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DE2A8246-5889-4BC6-AF65-F19BBAB094C6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7."
}
],
"id": "CVE-2025-55747",
"lastModified": "2025-09-10T17:47:28.840",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-09-03T21:15:31.740",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19350"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-23"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-58049
Vulnerability from fkie_nvd - Published: 2025-08-28 18:15 - Updated: 2025-09-02 17:34
Severity ?
5.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "532F5636-F862-48B4-BA5F-F0BF391352AD",
"versionEndExcluding": "16.4.8",
"versionStartIncluding": "14.4.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6DEAB833-8F14-42C3-9716-BFF595E82F52",
"versionEndExcluding": "16.10.7",
"versionStartIncluding": "16.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D1B3E17E-EB52-4E36-9D50-4045914A05F9",
"versionEndIncluding": "17.3.0",
"versionStartIncluding": "17.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn\u0027t store passwords in plain text, and it shouldn\u0027t be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1."
}
],
"id": "CVE-2025-58049",
"lastModified": "2025-09-02T17:34:25.467",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-08-28T18:15:33.657",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23151"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-212"
},
{
"lang": "en",
"value": "CWE-257"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-51991
Vulnerability from fkie_nvd - Published: 2025-08-20 15:15 - Updated: 2025-09-11 13:50
Severity ?
Summary
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md | Third Party Advisory, Exploit | |
| cve@mitre.org | https://xwiki.org | Product |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299B1520-4DFC-4D21-A589-ECE23F2AAF60",
"versionEndIncluding": "17.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields."
},
{
"lang": "es",
"value": "XWiki, hasta la versi\u00f3n 17.3.0, es vulnerable a Server-Side Template Injection (SSTI) en la interfaz de Administraci\u00f3n, espec\u00edficamente en el campo HTTP Meta Info de la secci\u00f3n Presentaci\u00f3n de Preferencias Globales. Un administrador autenticado puede inyectar c\u00f3digo de plantilla Apache Velocity manipulado, el cual se procesa en el servidor sin la validaci\u00f3n ni el entorno de pruebas adecuados. Esto permite la ejecuci\u00f3n de l\u00f3gica de plantilla arbitraria, lo que puede exponer informaci\u00f3n interna del servidor o, en ciertas configuraciones, provocar una explotaci\u00f3n posterior, como la ejecuci\u00f3n remota de c\u00f3digo o la filtraci\u00f3n de datos confidenciales. La vulnerabilidad reside en el manejo inadecuado de la renderizaci\u00f3n din\u00e1mica de plantillas dentro de los campos de configuraci\u00f3n proporcionados por el usuario."
}
],
"id": "CVE-2025-51991",
"lastModified": "2025-09-11T13:50:55.417",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-08-20T15:15:33.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"Exploit"
],
"url": "https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://xwiki.org"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
},
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-51990
Vulnerability from fkie_nvd - Published: 2025-08-20 15:15 - Updated: 2025-09-11 13:51
Severity ?
Summary
XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "299B1520-4DFC-4D21-A589-ECE23F2AAF60",
"versionEndIncluding": "17.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised."
},
{
"lang": "es",
"value": "XWiki, hasta la versi\u00f3n 17.3.0, se ve afectado por m\u00faltiples vulnerabilidades de cross-site scripting (XSS) almacenado en la interfaz de Administraci\u00f3n, espec\u00edficamente en la secci\u00f3n Presentaci\u00f3n del panel Preferencias globales. Un administrador autenticado puede inyectar payloads de JavaScript arbitrarios en los campos HTTP Meta Info, Footer Copyright y Footer Version. Estas entradas se almacenan y posteriormente se representan sin la codificaci\u00f3n ni la depuraci\u00f3n de salida adecuadas en p\u00e1ginas p\u00fablicas. Como resultado, los scripts inyectados se ejecutan de forma persistente en el navegador de cualquier visitante de las instancias afectadas, tanto usuarios autenticados como no autenticados. No se requiere interacci\u00f3n del usuario m\u00e1s all\u00e1 de visitar una p\u00e1gina que incluya el contenido malicioso. Una explotaci\u00f3n exitosa puede provocar secuestro de sesi\u00f3n, robo de credenciales, acciones no autorizadas mediante la ejecuci\u00f3n de sesiones o un mayor riesgo de la aplicaci\u00f3n mediante ataques del lado del cliente. Esta vulnerabilidad supone un riesgo significativo en cualquier implementaci\u00f3n, especialmente en entornos compartidos o conectados a internet donde las credenciales del administrador pueden verse comprometidas."
}
],
"id": "CVE-2025-51990",
"lastModified": "2025-09-11T13:51:18.397",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-08-20T15:15:33.157",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-54124
Vulnerability from fkie_nvd - Published: 2025-08-06 00:15 - Updated: 2025-09-02 19:24
Severity ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "68E89E44-B906-4F37-8D80-635F610FD374",
"versionEndExcluding": "16.4.7",
"versionStartIncluding": "9.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AB87055-B4ED-4E87-8424-159C336691AE",
"versionEndExcluding": "16.10.5",
"versionStartIncluding": "16.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01BE9B12-6D04-43E0-9E11-FD5D23442534",
"versionEndIncluding": "17.1.0",
"versionStartIncluding": "17.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1."
},
{
"lang": "es",
"value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones desarrolladas sobre ella. En las versiones 9.8-rc-1 a 16.4.6, 16.5.0-rc-1 a 16.10.4 y 17.0.0-rc-1 a 17.1.0 de XWiki Platform Legacy Old Core y XWiki Platform Old Core, cualquier usuario con permisos de edici\u00f3n puede crear una XClass con una propiedad de lista de base de datos que haga referencia a una propiedad de contrase\u00f1a. Al a\u00f1adir un objeto de esa XClass, se muestra el contenido de esa propiedad de contrase\u00f1a. En la pr\u00e1ctica, con una configuraci\u00f3n de permisos est\u00e1ndar, cualquier usuario con una cuenta en la wiki puede acceder a los hashes de contrase\u00f1as de todos los usuarios y, posiblemente, a otras propiedades de contrase\u00f1as (con almacenamiento en hashes o sin formato) que se encuentren en p\u00e1ginas visibles para el usuario. Este problema se ha corregido en las versiones 16.4.7, 16.10.5 y 17.2.0-rc-1."
}
],
"id": "CVE-2025-54124",
"lastModified": "2025-09-02T19:24:15.877",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-06T00:15:30.353",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22811"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22811"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-359"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-54125
Vulnerability from fkie_nvd - Published: 2025-08-06 00:15 - Updated: 2025-09-02 19:24
Severity ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9AAEBCBA-54FA-4DCB-B8A3-301CBCD74B27",
"versionEndExcluding": "16.4.7",
"versionStartIncluding": "1.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7AB87055-B4ED-4E87-8424-159C336691AE",
"versionEndExcluding": "16.10.5",
"versionStartIncluding": "16.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01BE9B12-6D04-43E0-9E11-FD5D23442534",
"versionEndIncluding": "17.1.0",
"versionStartIncluding": "17.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren\u0027t named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn\u0027t needed. There isn\u0027t any feature in XWiki itself that depends on the XML export."
},
{
"lang": "es",
"value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones desarrolladas sobre ella. En las versiones 1.1 a 16.4.6, 16.5.0-rc-1 a 16.10.4 y 17.0.0-rc-1 a 17.1.0 de XWiki Platform Legacy Old Core y XWiki Platform Old Core, la exportaci\u00f3n XML de una p\u00e1gina en XWiki, que puede ser activada por cualquier usuario con permisos de visualizaci\u00f3n a\u00f1adiendo ?xpage=xml a la URL, incluye propiedades de contrase\u00f1a y correo electr\u00f3nico almacenadas en un documento que no se denominan contrase\u00f1a ni correo electr\u00f3nico. Esto se solucion\u00f3 en las versiones 16.4.7, 16.10.5 y 17.2.0-rc-1. Para solucionar este problema, se puede eliminar el archivo templates/xml.vm del WAR implementado si no se necesita el XML. No hay ninguna funci\u00f3n en XWiki que dependa de la exportaci\u00f3n XML."
}
],
"id": "CVE-2025-54125",
"lastModified": "2025-09-02T19:24:04.670",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-06T00:15:30.523",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22810"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22810"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-359"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-32430
Vulnerability from fkie_nvd - Published: 2025-08-06 00:15 - Updated: 2025-09-02 19:24
Severity ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A00D7A8C-22D1-4305-AB29-1726589EB71D",
"versionEndExcluding": "16.4.8",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96858224-B882-4048-91DC-7863CE7F4E0D",
"versionEndExcluding": "16.10.6",
"versionStartIncluding": "16.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AAB2B86E-1053-4B68-8553-B73C003453E9",
"versionEndIncluding": "17.2.2",
"versionStartIncluding": "17.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:4.2:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "BC907C33-432E-4153-B1A2-9B8BF9167E1B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:16.5.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "6F584366-586F-453C-8E5F-F252ECD0C815",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim\u0027s session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."
},
{
"lang": "es",
"value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones desarrolladas sobre ella. En las versiones 4.2-milestone-3 a 16.4.7, 16.5.0-rc-1 a 16.10.5 y 17.0.0-rc-1 a 17.2.2, dos plantillas contienen vulnerabilidades XSS reflejado, lo que permite a un atacante ejecutar c\u00f3digo JavaScript malicioso en la sesi\u00f3n de la v\u00edctima al obligarla a visitar una URL controlada por el atacante. Esto permite al atacante realizar acciones arbitrarias utilizando los permisos de la v\u00edctima. Este problema se ha corregido en las versiones 16.4.8, 16.10.6 y 17.3.0-rc-1. Para solucionarlo, parchee manualmente el WAR con los mismos cambios que el parche original."
}
],
"id": "CVE-2025-32430",
"lastModified": "2025-09-02T19:24:23.010",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-08-06T00:15:29.193",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23096"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-54385
Vulnerability from fkie_nvd - Published: 2025-07-26 04:16 - Updated: 2025-09-03 17:42
Severity ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12222DC0-458F-4620-8F20-2230A8959DFE",
"versionEndExcluding": "16.10.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AAB2B86E-1053-4B68-8553-B73C003453E9",
"versionEndIncluding": "17.2.2",
"versionStartIncluding": "17.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it\u0027s possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL\u0027s native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1."
},
{
"lang": "es",
"value": "La plataforma XWiki es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones desarrolladas sobre ella. En las versiones 17.0.0-rc1 a 17.2.2 y 16.10.5 y anteriores, es posible ejecutar cualquier consulta SQL en Oracle mediante funciones como DBMS_XMLGEN o DBMS_XMLQUERY. Las API de XWiki#searchDocuments pasan las consultas directamente a Hibernate sin depurarlas. Incluso cuando estas API aplican una cl\u00e1usula SELECT espec\u00edfica, los atacantes pueden inyectar c\u00f3digo malicioso a trav\u00e9s de la compatibilidad con funciones nativas de HQL en otras partes de la consulta (como la cl\u00e1usula WHERE). Esto se ha corregido en las versiones 16.10.6 y 17.3.0-rc-1."
}
],
"id": "CVE-2025-54385",
"lastModified": "2025-09-03T17:42:29.050",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-26T04:16:06.397",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22728"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-32429
Vulnerability from fkie_nvd - Published: 2025-07-24 23:15 - Updated: 2025-09-03 17:43
Severity ?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5EC45F9-9CC2-46A8-835F-C0C03E22FEF2",
"versionEndExcluding": "16.10.6",
"versionStartIncluding": "9.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AAB2B86E-1053-4B68-8553-B73C003453E9",
"versionEndIncluding": "17.2.2",
"versionStartIncluding": "17.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it\u0027s possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It\u0027s injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1."
},
{
"lang": "es",
"value": "La plataforma XWiki es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones desarrolladas sobre ella. En las versiones 9.4-rc-1 a 16.10.5 y 17.0.0-rc-1 a 17.2.2, cualquiera puede inyectar SQL mediante el par\u00e1metro sort de getdeleteddocuments.vm. Se inyecta tal cual como un valor ORDER BY. Esto se solucion\u00f3 en las versiones 16.10.6 y 17.3.0-rc-1."
}
],
"id": "CVE-2025-32429",
"lastModified": "2025-09-03T17:43:28.937",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-07-24T23:15:26.283",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23093"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2025-55748 (GCVE-0-2025-55748)
Vulnerability from cvelistv5 – Published: 2025-09-03 20:19 – Updated: 2025-09-03 20:47
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
Severity ?
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 4.2-milestone-2, < 16.10.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T20:47:42.905524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:47:51.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2-milestone-2, \u003c 16.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It\u0027s possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg\u0026minify=false`. This is fixed in version 16.10.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:19:45.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23109",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23109"
}
],
"source": {
"advisory": "GHSA-m63c-3rmg-r2cf",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform\u0027s configuration files can be accessed through jsx and sx endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55748",
"datePublished": "2025-09-03T20:19:45.501Z",
"dateReserved": "2025-08-14T22:31:17.685Z",
"dateUpdated": "2025-09-03T20:47:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55747 (GCVE-0-2025-55747)
Vulnerability from cvelistv5 – Published: 2025-09-03 20:12 – Updated: 2025-09-03 20:48
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
Severity ?
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 6.1-milestone-2, < 16.10.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T20:48:20.232200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:48:27.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.1-milestone-2, \u003c 16.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:17:27.940Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19350",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19350"
}
],
"source": {
"advisory": "GHSA-qww7-89xh-x7m7",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform\u0027s configuration files can be accessed through the webjars API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55747",
"datePublished": "2025-09-03T20:12:12.978Z",
"dateReserved": "2025-08-14T22:31:17.685Z",
"dateUpdated": "2025-09-03T20:48:27.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58049 (GCVE-0-2025-58049)
Vulnerability from cvelistv5 – Published: 2025-08-28 17:43 – Updated: 2025-08-28 18:15
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.
Severity ?
5.8 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 14.4.2, < 16.4.8
Affected: >= 16.5.0-rc-1, < 16.10.7 Affected: >= 17.0.0-rc-1, < 17.4.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T18:15:42.371947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T18:15:47.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.4.2, \u003c 16.4.8"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.7"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.4.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn\u0027t store passwords in plain text, and it shouldn\u0027t be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257: Storing Passwords in a Recoverable Format",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T17:43:39.779Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23151",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23151"
}
],
"source": {
"advisory": "GHSA-9m7c-m33f-3429",
"discovery": "UNKNOWN"
},
"title": "XWiki PDF export jobs store sensitive cookies unencrypted in job statuses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58049",
"datePublished": "2025-08-28T17:43:39.779Z",
"dateReserved": "2025-08-22T14:30:32.221Z",
"dateUpdated": "2025-08-28T18:15:47.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-51991 (GCVE-0-2025-51991)
Vulnerability from cvelistv5 – Published: 2025-08-20 00:00 – Updated: 2025-08-20 15:43
VLAI?
Summary
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-51991",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:40:52.053470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:43:26.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T14:56:03.694Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://xwiki.org"
},
{
"url": "https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-51991",
"datePublished": "2025-08-20T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-08-20T15:43:26.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-51990 (GCVE-0-2025-51990)
Vulnerability from cvelistv5 – Published: 2025-08-20 00:00 – Updated: 2025-08-20 15:53
VLAI?
Summary
XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised.
Severity ?
4.8 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-51990",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:52:16.902370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:53:53.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T14:54:12.974Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-51990",
"datePublished": "2025-08-20T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-08-20T15:53:53.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54125 (GCVE-0-2025-54125)
Vulnerability from cvelistv5 – Published: 2025-08-05 23:30 – Updated: 2025-08-06 20:29
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.
Severity ?
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 1.1, < 16.4.7
Affected: >= 16.5.0-rc-1, < 16.10.5 Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54125",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:28:50.779888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:29:03.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22810"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1, \u003c 16.4.7"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren\u0027t named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn\u0027t needed. There isn\u0027t any feature in XWiki itself that depends on the XML export."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:30:38.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22810",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22810"
}
],
"source": {
"advisory": "GHSA-57q2-6cp4-9mq3",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform: Password and email exposure in xml.vm fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54125",
"datePublished": "2025-08-05T23:30:38.963Z",
"dateReserved": "2025-07-16T23:53:40.509Z",
"dateUpdated": "2025-08-06T20:29:03.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54124 (GCVE-0-2025-54124)
Vulnerability from cvelistv5 – Published: 2025-08-05 23:28 – Updated: 2025-08-06 20:28
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.
Severity ?
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 9.8-rc-1, < 16.4.7
Affected: >= 16.5.0-rc-1, < 16.10.5 Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54124",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:27:54.134605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:28:10.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22811"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.8-rc-1, \u003c 16.4.7"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:28:07.166Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22811",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22811"
}
],
"source": {
"advisory": "GHSA-r38m-cgpg-qj69",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform: Any user with editing rights can access password properties through Database List Properties"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54124",
"datePublished": "2025-08-05T23:28:07.166Z",
"dateReserved": "2025-07-16T23:53:40.509Z",
"dateUpdated": "2025-08-06T20:28:10.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32430 (GCVE-0-2025-32430)
Vulnerability from cvelistv5 – Published: 2025-08-05 23:27 – Updated: 2025-08-06 20:27
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 4.2-milestone-3, < 16.4.8
Affected: >= 16.5.0-rc-1, < 16.10.6 Affected: >= 17.0.0-rc-1, < 17.3.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32430",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:26:53.478745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:27:07.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2-milestone-3, \u003c 16.4.8"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.6"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.3.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim\u0027s session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:27:07.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23096",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23096"
}
],
"source": {
"advisory": "GHSA-m9x4-w7p9-mxhx",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform contains Reflected XSS vulnerability in two templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32430",
"datePublished": "2025-08-05T23:27:07.471Z",
"dateReserved": "2025-04-08T10:54:58.367Z",
"dateUpdated": "2025-08-06T20:27:07.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54385 (GCVE-0-2025-54385)
Vulnerability from cvelistv5 – Published: 2025-07-26 03:28 – Updated: 2025-07-28 18:59
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
< 16.10.6
Affected: >= 17.0.0-rc1, < 17.3.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T18:59:18.202480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T18:59:22.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003c 16.10.6"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc1, \u003c 17.3.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it\u0027s possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL\u0027s native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:28:49.269Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5"
},
{
"name": "https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22728",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22728"
},
{
"name": "https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6"
}
],
"source": {
"advisory": "GHSA-p9qm-p942-q3w5",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform\u0027s searchDocuments API allows for SQL injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54385",
"datePublished": "2025-07-26T03:28:49.269Z",
"dateReserved": "2025-07-21T16:12:20.734Z",
"dateUpdated": "2025-07-28T18:59:22.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32429 (GCVE-0-2025-32429)
Vulnerability from cvelistv5 – Published: 2025-07-24 22:22 – Updated: 2025-07-25 13:32
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 9.4-rc-1, < 16.10.6
Affected: >= 17.0.0-rc-1, < 17.3.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-25T13:32:37.844678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T13:32:47.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.4-rc-1, \u003c 16.10.6"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.3.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it\u0027s possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It\u0027s injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T22:22:35.102Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23093",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23093"
}
],
"source": {
"advisory": "GHSA-vr59-gm53-v7cq",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32429",
"datePublished": "2025-07-24T22:22:35.102Z",
"dateReserved": "2025-04-08T10:54:58.367Z",
"dateUpdated": "2025-07-25T13:32:47.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55748 (GCVE-0-2025-55748)
Vulnerability from nvd – Published: 2025-09-03 20:19 – Updated: 2025-09-03 20:47
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
Severity ?
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 4.2-milestone-2, < 16.10.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T20:47:42.905524Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:47:51.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2-milestone-2, \u003c 16.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It\u0027s possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg\u0026minify=false`. This is fixed in version 16.10.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:19:45.501Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cf"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-ee78930a9ac5ea586179fe8ab88a5fd58e369d175927d1e88a0b4dbc3ebcbf1eR62"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23109",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23109"
}
],
"source": {
"advisory": "GHSA-m63c-3rmg-r2cf",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform\u0027s configuration files can be accessed through jsx and sx endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55748",
"datePublished": "2025-09-03T20:19:45.501Z",
"dateReserved": "2025-08-14T22:31:17.685Z",
"dateUpdated": "2025-09-03T20:47:51.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55747 (GCVE-0-2025-55747)
Vulnerability from nvd – Published: 2025-09-03 20:12 – Updated: 2025-09-03 20:48
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7.
Severity ?
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 6.1-milestone-2, < 16.10.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55747",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T20:48:20.232200Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:48:27.579Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.1-milestone-2, \u003c 16.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API. This is fixed in version 16.10.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T20:17:27.940Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qww7-89xh-x7m7"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318#diff-45ea9c87d5fb68cd5db0da7f78cf25e76f1325f5fe56e21618b21786fc706236R80-R81"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19350",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19350"
}
],
"source": {
"advisory": "GHSA-qww7-89xh-x7m7",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform\u0027s configuration files can be accessed through the webjars API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55747",
"datePublished": "2025-09-03T20:12:12.978Z",
"dateReserved": "2025-08-14T22:31:17.685Z",
"dateUpdated": "2025-09-03T20:48:27.579Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58049 (GCVE-0-2025-58049)
Vulnerability from nvd – Published: 2025-08-28 17:43 – Updated: 2025-08-28 18:15
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1.
Severity ?
5.8 (Medium)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 14.4.2, < 16.4.8
Affected: >= 16.5.0-rc-1, < 16.10.7 Affected: >= 17.0.0-rc-1, < 17.4.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58049",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-28T18:15:42.371947Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T18:15:47.326Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.4.2, \u003c 16.4.8"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.7"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.4.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn\u0027t store passwords in plain text, and it shouldn\u0027t be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-212",
"description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-257",
"description": "CWE-257: Storing Passwords in a Recoverable Format",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-28T17:43:39.779Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9m7c-m33f-3429"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/60982ad0057b1701ed8297f28cad35d170686539"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23151",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23151"
}
],
"source": {
"advisory": "GHSA-9m7c-m33f-3429",
"discovery": "UNKNOWN"
},
"title": "XWiki PDF export jobs store sensitive cookies unencrypted in job statuses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58049",
"datePublished": "2025-08-28T17:43:39.779Z",
"dateReserved": "2025-08-22T14:30:32.221Z",
"dateUpdated": "2025-08-28T18:15:47.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-51991 (GCVE-0-2025-51991)
Vulnerability from nvd – Published: 2025-08-20 00:00 – Updated: 2025-08-20 15:43
VLAI?
Summary
XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-51991",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:40:52.053470Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:43:26.008Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T14:56:03.694Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://xwiki.org"
},
{
"url": "https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51991.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-51991",
"datePublished": "2025-08-20T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-08-20T15:43:26.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-51990 (GCVE-0-2025-51990)
Vulnerability from nvd – Published: 2025-08-20 00:00 – Updated: 2025-08-20 15:53
VLAI?
Summary
XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised.
Severity ?
4.8 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-51990",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T15:52:16.902370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T15:53:53.689Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T14:54:12.974Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/malcxlmj/cve-writeups/blob/main/CVE-2025-51990.md"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-51990",
"datePublished": "2025-08-20T00:00:00.000Z",
"dateReserved": "2025-06-16T00:00:00.000Z",
"dateUpdated": "2025-08-20T15:53:53.689Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54125 (GCVE-0-2025-54125)
Vulnerability from nvd – Published: 2025-08-05 23:30 – Updated: 2025-08-06 20:29
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.
Severity ?
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 1.1, < 16.4.7
Affected: >= 16.5.0-rc-1, < 16.10.5 Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54125",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:28:50.779888Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:29:03.491Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22810"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.1, \u003c 16.4.7"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren\u0027t named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn\u0027t needed. There isn\u0027t any feature in XWiki itself that depends on the XML export."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:30:38.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22810",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22810"
}
],
"source": {
"advisory": "GHSA-57q2-6cp4-9mq3",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform: Password and email exposure in xml.vm fields"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54125",
"datePublished": "2025-08-05T23:30:38.963Z",
"dateReserved": "2025-07-16T23:53:40.509Z",
"dateUpdated": "2025-08-06T20:29:03.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54124 (GCVE-0-2025-54124)
Vulnerability from nvd – Published: 2025-08-05 23:28 – Updated: 2025-08-06 20:28
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.
Severity ?
CWE
- CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 9.8-rc-1, < 16.4.7
Affected: >= 16.5.0-rc-1, < 16.10.5 Affected: >= 17.0.0-rc-1, < 17.2.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54124",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:27:54.134605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:28:10.785Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22811"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.8-rc-1, \u003c 16.4.7"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.5"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.2.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-359",
"description": "CWE-359: Exposure of Private Personal Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:28:07.166Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22811",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22811"
}
],
"source": {
"advisory": "GHSA-r38m-cgpg-qj69",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform: Any user with editing rights can access password properties through Database List Properties"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54124",
"datePublished": "2025-08-05T23:28:07.166Z",
"dateReserved": "2025-07-16T23:53:40.509Z",
"dateUpdated": "2025-08-06T20:28:10.785Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32430 (GCVE-0-2025-32430)
Vulnerability from nvd – Published: 2025-08-05 23:27 – Updated: 2025-08-06 20:27
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 4.2-milestone-3, < 16.4.8
Affected: >= 16.5.0-rc-1, < 16.10.6 Affected: >= 17.0.0-rc-1, < 17.3.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32430",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T20:26:53.478745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-06T20:27:07.444Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2-milestone-3, \u003c 16.4.8"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.10.6"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.3.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim\u0027s session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:27:07.471Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23096",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23096"
}
],
"source": {
"advisory": "GHSA-m9x4-w7p9-mxhx",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform contains Reflected XSS vulnerability in two templates"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32430",
"datePublished": "2025-08-05T23:27:07.471Z",
"dateReserved": "2025-04-08T10:54:58.367Z",
"dateUpdated": "2025-08-06T20:27:07.444Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54385 (GCVE-0-2025-54385)
Vulnerability from nvd – Published: 2025-07-26 03:28 – Updated: 2025-07-28 18:59
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Severity ?
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
< 16.10.6
Affected: >= 17.0.0-rc1, < 17.3.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54385",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-28T18:59:18.202480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-28T18:59:22.894Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003c 16.10.6"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc1, \u003c 17.3.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it\u0027s possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL\u0027s native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-26T03:28:49.269Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9qm-p942-q3w5"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/7313dc9b533c70f14b7672379c8b3b63d1fd8f51"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/7c4087d44ac550610b2fa413dd4f5375409265a5"
},
{
"name": "https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_XMLGEN.html"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22728",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22728"
},
{
"name": "https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/16.10.6"
}
],
"source": {
"advisory": "GHSA-p9qm-p942-q3w5",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform\u0027s searchDocuments API allows for SQL injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54385",
"datePublished": "2025-07-26T03:28:49.269Z",
"dateReserved": "2025-07-21T16:12:20.734Z",
"dateUpdated": "2025-07-28T18:59:22.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32429 (GCVE-0-2025-32429)
Vulnerability from nvd – Published: 2025-07-24 22:22 – Updated: 2025-07-25 13:32
VLAI?
Summary
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-platform |
Affected:
>= 9.4-rc-1, < 16.10.6
Affected: >= 17.0.0-rc-1, < 17.3.0-rc-1 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32429",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-25T13:32:37.844678Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T13:32:47.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.4-rc-1, \u003c 16.10.6"
},
{
"status": "affected",
"version": "\u003e= 17.0.0-rc-1, \u003c 17.3.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it\u0027s possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It\u0027s injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-24T22:22:35.102Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-23093",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-23093"
}
],
"source": {
"advisory": "GHSA-vr59-gm53-v7cq",
"discovery": "UNKNOWN"
},
"title": "XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32429",
"datePublished": "2025-07-24T22:22:35.102Z",
"dateReserved": "2025-04-08T10:54:58.367Z",
"dateUpdated": "2025-07-25T13:32:47.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}