CVE-2025-32430
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-09-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 4.3 (inc) to 16.4.8 (exc) |
| xwiki | xwiki | From 16.5.0 (inc) to 16.10.6 (exc) |
| xwiki | xwiki | From 17.0.0 (inc) to 17.2.2 (inc) |
| xwiki | xwiki | 4.2 |
| xwiki | xwiki | 16.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade XWiki Platform to versions 16.4.8, 16.10.6, or 17.3.0-rc-1 or later where the issue is fixed. Alternatively, you can manually patch the WAR file with the same changes as the original patch to work around the issue.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to execute malicious scripts in your session context, potentially leading to unauthorized actions performed with your permissions. This could result in data theft, session hijacking, or other malicious activities depending on your permissions within the XWiki Platform.
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the XWiki Platform affecting certain versions. It occurs in two templates that allow an attacker to execute malicious JavaScript code in the context of a victim's session by tricking the victim into visiting a specially crafted URL controlled by the attacker. This enables the attacker to perform arbitrary actions with the victim's permissions.