← Back

CVE-2025-32972

nvd nist
Published: Apr 30, 2025Modified: May 13, 2025

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Affected (7)

Products: Xwiki: Xwiki
Xwiki
1 product
Xwiki
Configuration A
7 vulnerable
Vulnerable SoftwareAffected Versions
Xwiki
Xwiki
From 16.0.0 to 16.4.3
Xwiki
From 16.5.0 to 16.8.0
Xwiki
From 6.2 to 15.10.12
Xwiki
Version 6.1
Xwiki
Version 6.1 milestone1
Xwiki
Version 6.1 milestone2
Xwiki
Version 6.1 rc1

Related CWEs

CWE-285
Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (4)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
PatchVendor Advisory
Source: security-advisories@github.com
Issue TrackingVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Issue TrackingVendor Advisory

Timeline

No history available yet.