CVE-2025-32970 – org.xwiki.platform:xwiki-platform-wysiwyg-api

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-wysiwyg-api
Vulnerable Version: >=13.5-rc-1 <15.10.13 || >=16.0.0-rc-1 <16.4.4 || >=16.5.0-rc-1 <16.8.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00325 pctl0.54849

Details

org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability ### Impact An open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirect to any URL. To reproduce, open `<xwiki-host>/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com/` where `<xwiki-host>` is the URL of your XWiki installation. ### Patches This bug has been fixed in XWiki 15.10.13, 16.4.4 and 16.8.0 by validating the domain of the redirect URL against the configured safe domains and the current request's domain. ### Workarounds A web application firewall could be configured to reject requests with the `xerror` parameter as from our analysis this parameter isn't used anymore. For requests with the `RequiresHTMLConversion` parameter set, the referrer URL should be checked if it points to the XWiki installation. Apart from that, we're not aware of any workarounds.

Metadata

Created: 2025-04-29T13:57:23Z
Modified: 2025-04-30T17:29:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-pjhg-9wr9-rj96/GHSA-pjhg-9wr9-rj96.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-pjhg-9wr9-rj96
Finding: F156
Auto approve: 1