Vulnerability Description
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 15.9, < 15.10.8 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8Patch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4rPatchVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-22002Issue TrackingVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-22002Issue TrackingVendor Advisory
FAQ
What is CVE-2025-32974?
CVE-2025-32974 is a vulnerability with a CVSS score of 9.0 (CRITICAL). XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default cont...
How severe is CVE-2025-32974?
CVE-2025-32974 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-32974?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.