平台
java
组件
org.xwiki.platform:xwiki-platform-security-requiredrights-default
修复版本
15.9.1
16.0.1
15.10.8
CVE-2025-32974 is a critical Cross-Site Scripting (XSS) vulnerability affecting XWiki Platform. This flaw allows attackers to inject malicious scripts into page properties, which are then executed when a user with elevated privileges (script, admin, or programming rights) edits the page. The vulnerability impacts XWiki Platform versions prior to 15.10.8 and poses a significant risk to the confidentiality, integrity, and availability of XWiki installations. A fix is available in version 15.10.8.
The impact of CVE-2025-32974 is severe. An attacker can leverage this vulnerability to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, defacement of the XWiki instance, and redirection to malicious websites. The ability to inject scripts into properties that are executed upon editing allows for persistent and stealthy attacks, as the malicious code remains embedded within the page until it is removed. The vulnerability bypasses existing XWiki warnings related to script macros, making it easier for attackers to exploit. Successful exploitation could compromise the entire XWiki installation and potentially affect connected systems.
CVE-2025-32974 was publicly disclosed on April 29, 2025. The vulnerability's ease of exploitation and potential impact suggest a medium probability of exploitation (EPSS score pending). Public proof-of-concept code is not yet widely available, but the vulnerability's description makes it relatively straightforward to reproduce. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting XWiki instances.
Organizations heavily reliant on XWiki Platform for content management and collaboration are at significant risk. Specifically, deployments with a large number of users with elevated privileges (script, admin, or programming rights) are particularly vulnerable. Environments where users frequently edit pages containing properties are also at increased risk.
• linux / server:
journalctl -u xwiki -f | grep -i "script injection"• generic web:
curl -I <xwiki_url>/xwiki/bin/view/Main/MainPage | grep -i "Content-Security-Policy"• database (mysql):
SELECT property_name, property_value FROM xwiki_property WHERE property_value LIKE '%<script%'disclosure
漏洞利用状态
EPSS
1.38% (80% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-32974 is to upgrade XWiki Platform to version 15.10.8 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds. Carefully review all page properties for suspicious content, particularly those related to text areas or properties that might accept script-like input. Restrict user permissions to the minimum necessary level; avoid granting script, admin, or programming rights to users who do not require them. Implement a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting XWiki. Monitor XWiki logs for unusual activity or attempts to inject malicious scripts. After upgrading, confirm the fix by attempting to create a page with a malicious script in a TextArea property and verifying that the script is not executed when a user with appropriate permissions edits the page.
将 XWiki 更新到版本 15.10.8 或更高版本,或版本 16.2.0 或更高版本。 这将修复允许在编辑具有某些属性的页面时执行恶意脚本的漏洞。 更新可确保所需的权限分析正确考虑具有默认内容类型的 TextArea。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-32974 is a critical Cross-Site Scripting (XSS) vulnerability in XWiki Platform versions before 15.10.8, allowing malicious script execution when privileged users edit pages.
If you are running XWiki Platform versions prior to 15.10.8, you are vulnerable to this XSS attack. Assess your environment immediately.
Upgrade XWiki Platform to version 15.10.8 or later to patch this vulnerability. Implement temporary workarounds if immediate upgrade is not possible.
While no confirmed exploitation is currently public, the vulnerability's ease of exploitation suggests a potential for active campaigns. Monitor security advisories.
Refer to the official XWiki security advisory for detailed information and mitigation steps: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
上传你的 pom.xml 文件,立即知道是否受影响。