Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2025-32429

UNKNOWN
Published 2025-07-24T22:22:35.102Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2025-32429. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

xwiki

xwiki-platform

Affected Versions:

>= 9.4-rc-1, < 16.10.6 >= 17.0.0-rc-1, < 17.3.0-rc-1

EU Vulnerability Database

Monitored by ENISA for EU cybersecurity

EU Coordination

EU Coordinated

Exploitation Status

No Known Exploitation

EUVD ID

View on ENISA

ENISA Analysis

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.

Affected Products (ENISA)

xwiki
xwiki-platform

ENISA Scoring

CVSS Score (4.0)

9.3
/10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS Score

1.620
probability

ENISA References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq
https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101
https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3
https://jira.xwiki.org/browse/XWIKI-23093

Data provided by ENISA EU Vulnerability Database. Last updated: July 25, 2025

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed CRITICAL

XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter

GHSA-vr59-gm53-v7cq

Advisory Details

### Impact It's possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It's injected as is as an ORDER BY value. One can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation). ### Patches This has been patched in 17.3.0-rc-1, 16.10.6. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-23093 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected]) ### Attribution The vulnerability was identifier by Aleksey Solovev from Positive Technologies.

Affected Packages

Maven org.xwiki.platform:xwiki-platform-distribution-war
ECOSYSTEM: ≥9.4-rc-1 <16.10.6
Maven org.xwiki.platform:xwiki-platform-distribution-war
ECOSYSTEM: ≥17.0.0-rc-1 <17.3.0-rc-1

CVSS Scoring

CVSS Score

9.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

WEB https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-32429
WEB https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101
WEB https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3
PACKAGE https://github.com/xwiki/xwiki-platform
WEB https://jira.xwiki.org/browse/XWIKI-23093

Advisory provided by GitHub Security Advisory Database. Published: July 24, 2025, Modified: July 25, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

2 posts
Reddit 3 days ago
crstux
Exploit

🔥 Top 10 Trending CVEs (30/07/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2023-2533](https://nvd.nist.gov/vuln/detail/CVE-2023-2533)** - 📝 A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary …

Also mentions: CVE-2025-54418 CVE-2025-54416 CVE-2025-53770 CVE-2025-20337 CVE-2025-49704 CVE-2025-20281 CVE-2025-31199 CVE-2025-37899 CVE-2023-2533
2
2.0
View Original High Risk
Reddit 4 days ago
crstux
Exploit

🔥 Top 10 Trending CVEs (29/07/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-31199](https://nvd.nist.gov/vuln/detail/CVE-2025-31199)** - 📝 A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.4 and iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4. An app may be …

Also mentions: CVE-2025-53771 CVE-2025-53770 CVE-2025-54309 CVE-2025-23266 CVE-2025-20337 CVE-2025-49704 CVE-2025-20281 CVE-2025-0133 CVE-2025-31199
1
1.0
View Original High Risk

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq
https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101
https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3
https://jira.xwiki.org/browse/XWIKI-23093
Published: 2025-07-24T22:22:35.102Z
Last Modified: 2025-07-25T13:32:47.835Z
Copied to clipboard!