GHSA-M9X4-W7P9-MXHX
Vulnerability from github – Published: 2025-08-05 15:32 – Updated: 2025-08-06 14:31Impact
Reflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. PoC URLs are /xwiki/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=<img src=1 onerror=alert(document.domain)> and /xwiki/bin/view/Main/?xpage=distribution&extensionId=%3Cimg src=x onerror=alert(document.domain)%3E&extensionVersionConstraint=%3Cimg src=x onerror=alert(document.domain)%3E. This allows the attacker to perform arbitrary actions using the permissions of the victim.
Patches
The problem has been patched in XWiki 16.4.8, 16.10.6 and 17.3.0RC1 by adding escaping in the affected templates.
Workarounds
The affected templates can be patched manually in the WAR by applying the same changes as in the patch.
Attribution
The vulnerability involving job_status_json has been reported as "Unauth Reflected XSS" vulnerability by Aleksey Solovev (Positive Technologies), and the vulnerability involving distribution has been reported as "Auth Admin Reflected XSS" vulnerability by Evgeny Kopytin (Positive Technologies). According to our analysis, both vulnerabilities can be exploited against both unauthenticated and authenticated victims (including victims with admin privileges) which is why we publish them together in this advisory.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web-templates"
},
"ranges": [
{
"events": [
{
"introduced": "4.2-milestone-3"
},
{
"fixed": "16.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web-templates"
},
"ranges": [
{
"events": [
{
"introduced": "16.5.0-rc-1"
},
{
"fixed": "16.10.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-web-templates"
},
"ranges": [
{
"events": [
{
"introduced": "17.0.0-rc-1"
},
{
"fixed": "17.3.0-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-32430"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-05T15:32:56Z",
"nvd_published_at": "2025-08-06T00:15:29Z",
"severity": "MODERATE"
},
"details": "### Impact\nReflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim\u0027s session by getting the victim to visit an attacker-controlled URL. PoC URLs are `/xwiki/bin/view/Main/?xpage=job_status_json\u0026jobId=asdf\u0026translationPrefix=\u003cimg src=1 onerror=alert(document.domain)\u003e` and `/xwiki/bin/view/Main/?xpage=distribution\u0026extensionId=%3Cimg src=x onerror=alert(document.domain)%3E\u0026extensionVersionConstraint=%3Cimg src=x onerror=alert(document.domain)%3E`. This allows the attacker to perform arbitrary actions using the permissions of the victim.\n\n### Patches\nThe problem has been patched in XWiki 16.4.8, 16.10.6 and 17.3.0RC1 by adding escaping in the affected templates.\n\n### Workarounds\nThe affected templates can be patched manually in the WAR by applying the same changes as in [the patch](https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0).\n\n### Attribution\n\nThe vulnerability involving `job_status_json` has been reported as \"Unauth Reflected XSS\" vulnerability by Aleksey Solovev (Positive Technologies), and the vulnerability involving `distribution` has been reported as \"Auth Admin Reflected XSS\" vulnerability by Evgeny Kopytin (Positive Technologies). According to our analysis, both vulnerabilities can be exploited against both unauthenticated and authenticated victims (including victims with admin privileges) which is why we publish them together in this advisory.",
"id": "GHSA-m9x4-w7p9-mxhx",
"modified": "2025-08-06T14:31:07Z",
"published": "2025-08-05T15:32:56Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32430"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-23096"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "XWiki allows Reflected XSS in two templates"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.