CVE-2025-32429

Critical CVSS: 9.3

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Vendor

Xwiki

Product

Xwiki

CWE

CWE-89

Yayın Tarihi

2025-07-24 23:15:26

Güncelleme

2025-09-03 17:43:28

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-89 Xwiki CRITICAL Xwiki 2025

Referanslar

https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101 https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq https://jira.xwiki.org/browse/XWIKI-23093

Benzer Kayıtlar

Medium

CVE-2026-26000

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.9.0…

Medium

CVE-2026-24128

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-mi…

Medium

CVE-2025-65090

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights…

Critical

CVE-2025-65091

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.5, users with the right t…

High

CVE-2025-66474

XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) int…

Medium

CVE-2025-66472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-mi…