We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-32972

The lesscss script service allows cache clearing without programming right



Description

XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Reserved 2025-04-14 | Published 2025-04-30 | Updated 2025-04-30 | Assigner GitHub_M


LOW: 2.7CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-285: Improper Authorization

Product status

>= 6.1-milestone-1, < 15.10.12
affected

>= 16.0.0-rc-1, < 16.4.3
affected

>= 16.5.0-rc-1, < 16.8.0-rc-1
affected

References

github.com/...atform/security/advisories/GHSA-rp38-24m3-rx87

github.com/...ommit/91752122d8782f171f8728004a57bdaefc34253e

jira.xwiki.org/browse/XWIKI-22462

cve.org (CVE-2025-32972)

nvd.nist.gov (CVE-2025-32972)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-32972

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.