CVE-2025-32973

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-32973
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32973.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32973
Aliases
Published
2025-04-30T14:55:04.478Z
Modified
2026-04-10T05:25:18.792924Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
Details

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a document in XWiki that was last edited by a user without programming rights and contains an XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An attacker who created such a malicious object could use this to gain programming rights on the wiki. For this, the attacker needs to have edit rights on at least one page to place this object and then get an admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

Database specific 
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32973.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
887a52296cbe18cda0f6b3b8f709b6cd8365de1e
Fixed
6914819340c6e94b51b7e5c68613f47831d4996b
Database specific 
{
    "versions": [
        {
            "introduced": "15.9-rc-1"
        },
        {
            "fixed": "15.10.12"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
6f103dbca9c98cf3b53bfadb83d982facb198d56
Fixed
82ba90784232fd5947c70b74bbbcfc67a245aca1
Database specific 
{
    "versions": [
        {
            "introduced": "16.0.0-rc-1"
        },
        {
            "fixed": "16.4.3"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ed06c998964cae931ccfe7005a67eeaedaf60e58
Fixed
87f3d1e36a2372943f5d2b34e86877eb41fa0e21
Database specific 
{
    "versions": [
        {
            "introduced": "16.5.0-rc-1"
        },
        {
            "fixed": "16.8.0-rc-1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32973.json"