Plateforme
java
Composant
org.xwiki.platform:xwiki-platform-security-requiredrights-default
Corrigé dans
15.9.1
16.0.1
15.10.8
CVE-2025-32974 is a critical Cross-Site Scripting (XSS) vulnerability affecting XWiki Platform. This flaw allows attackers to inject malicious scripts into page properties, which are then executed when a user with elevated privileges (script, admin, or programming rights) edits the page. The vulnerability impacts XWiki Platform versions prior to 15.10.8 and poses a significant risk to the confidentiality, integrity, and availability of XWiki installations. A fix is available in version 15.10.8.
The impact of CVE-2025-32974 is severe. An attacker can leverage this vulnerability to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, defacement of the XWiki instance, and redirection to malicious websites. The ability to inject scripts into properties that are executed upon editing allows for persistent and stealthy attacks, as the malicious code remains embedded within the page until it is removed. The vulnerability bypasses existing XWiki warnings related to script macros, making it easier for attackers to exploit. Successful exploitation could compromise the entire XWiki installation and potentially affect connected systems.
CVE-2025-32974 was publicly disclosed on April 29, 2025. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation (EPSS score pending). Public proof-of-concept code is not yet widely available, but the vulnerability's description makes it relatively straightforward to reproduce. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting XWiki instances.
Organizations heavily reliant on XWiki Platform for content management and collaboration are at significant risk. Specifically, deployments with a large number of users with elevated privileges (script, admin, or programming rights) are particularly vulnerable. Environments where users frequently edit pages containing properties are also at increased risk.
• linux / server:
journalctl -u xwiki -f | grep -i "script injection"• generic web:
curl -I <xwiki_url>/xwiki/bin/view/Main/MainPage | grep -i "Content-Security-Policy"• database (mysql):
SELECT property_name, property_value FROM xwiki_property WHERE property_value LIKE '%<script%'disclosure
Statut de l'Exploit
EPSS
1.38% (percentile 80%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-32974 is to upgrade XWiki Platform to version 15.10.8 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds. Carefully review all page properties for suspicious content, particularly those related to text areas or properties that might accept script-like input. Restrict user permissions to the minimum necessary level; avoid granting script, admin, or programming rights to users who do not require them. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting XWiki. Monitor XWiki logs for unusual activity or attempts to inject malicious scripts. After upgrading, confirm the fix by attempting to create a page with a malicious script in a TextArea property and verifying that the script is not executed when a user with appropriate permissions edits the page.
Actualisez XWiki à la version 15.10.8 ou supérieure, ou à la version 16.2.0 ou supérieure. Cela corrigera la vulnérabilité qui permet l'exécution de scripts malveillants lors de la modification de pages avec certaines propriétés. La mise à jour garantit que l'analyse des droits requis prend correctement en compte les TextAreas avec le type de contenu par défaut.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-32974 is a critical Cross-Site Scripting (XSS) vulnerability in XWiki Platform versions before 15.10.8, allowing malicious script execution when privileged users edit pages.
If you are running XWiki Platform versions prior to 15.10.8, you are vulnerable to this XSS attack. Assess your environment immediately.
Upgrade XWiki Platform to version 15.10.8 or later to patch this vulnerability. Implement temporary workarounds if immediate upgrade is not possible.
While no confirmed exploitation is currently public, the vulnerability's ease of exploitation suggests a potential for active campaigns. Monitor security advisories.
Refer to the official XWiki security advisory for detailed information and mitigation steps: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.