Skip to content

org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right

Critical severity GitHub Reviewed Published Apr 29, 2025 in xwiki/xwiki-platform • Updated Apr 30, 2025

Package

maven org.xwiki.platform:xwiki-platform-component-wiki (Maven)

Affected versions

>= 15.9-rc-1, < 15.10.12
>= 16.0.0-rc-1, < 16.4.3
>= 16.5.0-rc-1, < 16.8.0-rc-1

Patched versions

15.10.12
16.4.3
16.8.0-rc-1

Description

Impact

When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an XWiki.ComponentClass, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use this to gain programming right on the wiki. For this, the attacker needs to have edit right on at least one page to place this object and then get an admin user to edit that document.

To reproduce the problem, as a user without programming right, add an object of type XWiki.ComponentClass to any page and then edit the page as a user with programming right. There should be warning displayed, if not, the XWiki installation is vulnerable.

While such a warning didn't exist in any version of XWiki, only in XWiki 15.9 RC1 these kinds of warnings have been introduced which is why this is considered the first version that has this vulnerability. Before that, the advice was to be careful when editing pages edited by untrusted users.

Patches

This problem has been patched in XWiki 15.10.2, 16.4.3, and 16.8.0 RC1.

Workarounds

We're not aware of any workarounds apart from not editing pages that might have been edited by untrusted users as a user with programming rights, e.g., by using separate user accounts for admin and non-admin tasks.

References

@michitux michitux published to xwiki/xwiki-platform Apr 29, 2025
Published to the GitHub Advisory Database Apr 29, 2025
Reviewed Apr 29, 2025
Published by the National Vulnerability Database Apr 30, 2025
Last updated Apr 30, 2025

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(71st percentile)

Weaknesses

CVE ID

CVE-2025-32973

GHSA ID

GHSA-x7wv-5qg4-vmr6

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.