{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32430", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-08T10:54:58.367Z", "datePublished": "2025-08-05T23:27:07.471Z", "dateUpdated": "2025-08-06T20:27:07.444Z"}, "containers": {"cna": {"title": "XWiki Platform contains Reflected XSS vulnerability in two templates", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"}, {"name": "https://jira.xwiki.org/browse/XWIKI-23096", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-23096"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 4.2-milestone-3, < 16.4.8", "status": "affected"}, {"version": ">= 16.5.0-rc-1, < 16.10.6", "status": "affected"}, {"version": ">= 17.0.0-rc-1, < 17.3.0-rc-1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-05T23:27:07.471Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."}], "source": {"advisory": "GHSA-m9x4-w7p9-mxhx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-06T20:26:53.478745Z", "id": "CVE-2025-32430", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T20:27:07.444Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32430", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-06T20:26:53.478745Z"}}}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-06T16:14:44.280Z"}}], "cna": {"title": "XWiki Platform contains Reflected XSS vulnerability in two templates", "source": {"advisory": "GHSA-m9x4-w7p9-mxhx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"status": "affected", "version": ">= 4.2-milestone-3, < 16.4.8"}, {"status": "affected", "version": ">= 16.5.0-rc-1, < 16.10.6"}, {"status": "affected", "version": ">= 17.0.0-rc-1, < 17.3.0-rc-1"}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx", "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0", "name": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0", "tags": ["x_refsource_MISC"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-23096", "name": "https://jira.xwiki.org/browse/XWIKI-23096", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-05T23:27:07.471Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32430", "state": "PUBLISHED", "dateUpdated": "2025-08-06T20:27:07.444Z", "dateReserved": "2025-04-08T10:54:58.367Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-05T23:27:07.471Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch."}, {"lang": "es", "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios de ejecuci\u00f3n para aplicaciones desarrolladas sobre ella. En las versiones 4.2-milestone-3 a 16.4.7, 16.5.0-rc-1 a 16.10.5 y 17.0.0-rc-1 a 17.2.2, dos plantillas contienen vulnerabilidades XSS reflejadas, lo que permite a un atacante ejecutar c\u00f3digo JavaScript malicioso en la sesi\u00f3n de la v\u00edctima al obligarla a visitar una URL controlada por el atacante. Esto permite al atacante realizar acciones arbitrarias utilizando los permisos de la v\u00edctima. Este problema se ha corregido en las versiones 16.4.8, 16.10.6 y 17.3.0-rc-1. Para solucionarlo, parchee manualmente el WAR con los mismos cambios que el parche original."}], "id": "CVE-2025-32430", "lastModified": "2025-08-06T21:15:28.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-08-06T00:15:29.193", "references": [{"source": "[email protected]", "url": "https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0"}, {"source": "[email protected]", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"}, {"source": "[email protected]", "url": "https://jira.xwiki.org/browse/XWIKI-23096"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}

{}