We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32430

XWiki Platform contains Reflected XSS vulnerability in two templates



Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch.

Reserved 2025-04-08 | Published 2025-08-05 | Updated 2025-08-05 | Assigner GitHub_M


MEDIUM: 6.5CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 4.2-milestone-3, < 16.4.8
affected

>= 16.5.0-rc-1, < 16.10.6
affected

>= 17.0.0-rc-1, < 17.3.0-rc-1
affected

References

github.com/...atform/security/advisories/GHSA-m9x4-w7p9-mxhx

github.com/...ommit/e5926a938cbecc8b1eaa48053d8d370cff107cb0

jira.xwiki.org/browse/XWIKI-23096

cve.org (CVE-2025-32430)

nvd.nist.gov (CVE-2025-32430)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32430

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.