ghsa-vr59-gm53-v7cq
Vulnerability from github
Published
2025-07-24 18:09
Modified
2025-07-25 13:32
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
Details

Impact

It's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.

One can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation).

Patches

This has been patched in 17.3.0-rc-1, 16.10.6.

Workarounds

There is no known workaround, other than upgrading XWiki.

References

https://jira.xwiki.org/browse/XWIKI-23093

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

The vulnerability was identifier by Aleksey Solovev from Positive Technologies.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-distribution-war"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.4-rc-1"
            },
            {
              "fixed": "16.10.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-distribution-war"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "17.0.0-rc-1"
            },
            {
              "fixed": "17.3.0-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-32429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-24T18:09:01Z",
    "nvd_published_at": "2025-07-24T23:15:26Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIt\u0027s possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It\u0027s injected as is as an ORDER BY value.\n\nOne can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm\u0026sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation).\n\n### Patches\n\nThis has been patched in 17.3.0-rc-1, 16.10.6.\n\n### Workarounds\n\nThere is no known workaround, other than upgrading XWiki.\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-23093\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThe vulnerability was identifier by Aleksey Solovev from Positive Technologies.",
  "id": "GHSA-vr59-gm53-v7cq",
  "modified": "2025-07-25T13:32:02Z",
  "published": "2025-07-24T18:09:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-23093"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.