CVE-2025-32972

Published: Apr 30, 2025

Modified: Apr 30, 2025

PUBLISHED

CVSS v3.1

2.7

LOW

Description

XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Vendor	Product	Versions
xwiki	xwiki-platform	affected `>= 6.1-milestone-1, < 15.10.12` affected `>= 16.0.0-rc-1, < 16.4.3` affected `>= 16.5.0-rc-1, < 16.8.0-rc-1`

Weaknesses (CWE)

CWE-285

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-22462

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-32972

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References