CVE-2025-32429
BaseFortify
Publication date: 2025-07-24
Last updated on: 2025-09-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 9.4 (inc) to 16.10.6 (exc) |
| xwiki | xwiki | From 17.0.0 (inc) to 17.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki Platform allows anyone to perform SQL injection through the 'sort' parameter of the getdeleteddocuments.vm page. The parameter is used directly as an ORDER BY clause in SQL queries without proper sanitization, enabling attackers to manipulate the database query.
How can this vulnerability impact me? :
The SQL injection vulnerability can lead to unauthorized access to or manipulation of the database, potentially exposing sensitive data, corrupting data, or allowing further attacks on the system. Given the high CVSS score of 9.3, the impact is severe and can compromise the confidentiality, integrity, and availability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade XWiki Platform to version 16.10.6 or later, or 17.3.0-rc-1 or later, where the SQL injection issue in the getdeleteddocuments.vm parameter 'sort' is fixed.