CVE-2025-32974
org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.
Reserved 2025-04-14 | Published 2025-04-30 | Updated 2025-04-30 | Assigner GitHub_MCWE-116: Improper Encoding or Escaping of Output
CWE-269: Improper Privilege Management
github.com/...atform/security/advisories/GHSA-mvgm-3rw2-7j4r
github.com/...ommit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fc
jira.xwiki.org/browse/XWIKI-22002
Support options
