- Description
- XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-89
- Hype score
- Not currently trending
🔴 XWiki, Blind SQL Injection, #CVE-2025-32969 (Critical) https://t.co/eZZLNQ1FaX
@dailycve
30 Apr 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 #CyberAlert: Critical SQL Injection Vulnerability CVE-2025-32969 detected in #XWiki! Versions 1.8 - 15.10.15, 16.4.5, 16.10.0: Allow unauthenticated users to execute arbitrary SQL. Patch immediately to 16.10.1, 16.4.6, 15.10.16! No workaround. Secure your data! 🔒💻
@SecAideInfo
26 Apr 2025
22 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-32969 ⚠️🔴 CRITICAL (9.3) 🏢 xwiki - xwiki-platform 🏗️ >= 1.8, < 15.10.16 🔗 https://t.co/5iWYuzBJIR 🔗 https://t.co/p45SJimRiz 🔗 https://t.co/l8qnHuSeSr #CyberCron #VulnAlert #InfoSec https://t.co/64gT5a37KZ
@cybercronai
25 Apr 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-32969: CRITICAL] Critical vulnerability in XWiki versions 1.8 to 15.10.16, 16.4.6, and 16.10.1 could lead to SQL injection. Upgrade to patched versions 16.10.1, 16.4.6, or 15.10.16 immediately.#cve,CVE-2025-32969,#cybersecurity https://t.co/4l0Q8B7lDH https://t.co/SXxs6
@CveFindCom
23 Apr 2025
39 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
CVE-2025-32969 XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape… https://t.co/MnFykRR1pE
@CVEnew
23 Apr 2025
153 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A2F4E27B-4256-40AC-8DF8-62192CAD4235",
"versionEndExcluding": "15.10.16",
"versionStartIncluding": "1.8"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8BFE4D4B-D3CB-46DB-BAC6-2615398EA883",
"versionEndExcluding": "16.4.6",
"versionStartIncluding": "16.0.0"
},
{
"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "8150C269-44A7-486B-A7BB-06CB0D631348",
"versionEndExcluding": "16.10.1",
"versionStartIncluding": "16.5.0"
}
],
"operator": "OR"
}
]
}
]