cve-2025-32972
Vulnerability from cvelistv5
Published
2025-04-30 14:54
Modified
2025-04-30 15:17
Severity ?
EPSS score ?
Summary
The lesscss script service allows cache clearing without programming right
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e | Patch | |
| security-advisories@github.com | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87 | Vendor Advisory, Patch | |
| security-advisories@github.com | https://jira.xwiki.org/browse/XWIKI-22462 | Vendor Advisory, Issue Tracking | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://jira.xwiki.org/browse/XWIKI-22462 | Vendor Advisory, Issue Tracking |
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| xwiki | xwiki-platform |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32972",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-30T15:17:27.713068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T15:17:31.398Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22462"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-platform",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.1-milestone-1, \u003c 15.10.12"
},
{
"status": "affected",
"version": "\u003e= 16.0.0-rc-1, \u003c 16.4.3"
},
{
"status": "affected",
"version": "\u003e= 16.5.0-rc-1, \u003c 16.8.0-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-30T14:54:58.945Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87"
},
{
"name": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-22462",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-22462"
}
],
"source": {
"advisory": "GHSA-rp38-24m3-rx87",
"discovery": "UNKNOWN"
},
"title": "The lesscss script service allows cache clearing without programming right"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32972",
"datePublished": "2025-04-30T14:54:58.945Z",
"dateReserved": "2025-04-14T21:47:11.455Z",
"dateUpdated": "2025-04-30T15:17:31.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-32972\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-04-30T15:16:01.680\",\"lastModified\":\"2025-05-13T15:05:07.237\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.\"},{\"lang\":\"es\",\"value\":\"XWiki es una plataforma wiki gen\u00e9rica. En versiones desde la 6.1-milestone-1 hasta anteriores a la 15.10.12, desde la 16.0.0-rc-1 hasta anteriores a la 16.4.3, y desde la 16.5.0-rc-1 hasta anteriores a la 16.8.0-rc-1, la API de scripts del compilador LESS en XWiki verifica incorrectamente los permisos al llamar a la API de limpieza de cach\u00e9, lo que permite limpiar la cach\u00e9 sin tener permisos de programaci\u00f3n. El \u00fanico impacto es una ralentizaci\u00f3n en la ejecuci\u00f3n de XWiki al rellenar las cach\u00e9s. Dado que esta vulnerabilidad requiere permisos de script para explotarse, y estos permisos ya permiten la ejecuci\u00f3n ilimitada de scripts, el impacto adicional es bajo. Este problema se ha corregido en las versiones 15.10.12, 16.4.3 y 16.8.0-rc-1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":2.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.2\",\"versionEndExcluding\":\"15.10.12\",\"matchCriteriaId\":\"958763F1-0CC0-4BAD-B1C9-211EDDBF225E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.0.0\",\"versionEndExcluding\":\"16.4.3\",\"matchCriteriaId\":\"9B04B1AC-349C-45AC-804F-6C020283508B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"16.5.0\",\"versionEndExcluding\":\"16.8.0\",\"matchCriteriaId\":\"019584A5-91D6-4548-B8EF-BD8010C8C90D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:6.1:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB1892AA-3410-41EA-B45A-1E7EEB6D354D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:6.1:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"347BCA66-59DB-4AFE-81AC-CBBC16A9D2C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:6.1:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"52DBE10F-1F55-46AD-9D47-5C05FAB85777\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:6.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"DE2A8246-5889-4BC6-AF65-F19BBAB094C6\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Patch\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-22462\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Issue Tracking\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-22462\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Vendor Advisory\",\"Issue Tracking\"]}]}}"
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.