CVE-2025-32429 – org.xwiki.platform:xwiki-platform-distribution-war

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-distribution-war
Vulnerable Version: >=9.4-rc-1 <16.10.6 || >=17.0.0-rc-1 <17.3.0-rc-1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01478 pctl0.80243

Details

XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter ### Impact It's possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It's injected as is as an ORDER BY value. One can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation). ### Patches This has been patched in 17.3.0-rc-1, 16.10.6. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-23093 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution The vulnerability was identifier by Aleksey Solovev from Positive Technologies.

Metadata

Created: 2025-07-24T18:09:01Z
Modified: 2025-07-25T13:32:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-vr59-gm53-v7cq/GHSA-vr59-gm53-v7cq.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-vr59-gm53-v7cq
Finding: F297
Auto approve: 1