Improper Encoding or Escaping of Output Affecting org.xwiki.platform:xwiki-platform-security-requiredrights-default package, versions [15.9-rc-1,15.10.8)[16.0.0-rc-1,16.2.0)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGXWIKIPLATFORM-9904724
  • published30 Apr 2025
  • disclosed29 Apr 2025
  • creditUnknown

Introduced: 29 Apr 2025

NewCVE-2025-32974  (opens in a new tab)
CWE-116  (opens in a new tab)

How to fix?

Upgrade org.xwiki.platform:xwiki-platform-security-requiredrights-default to version 15.10.8, 16.2.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to the improper handling of TextArea properties with default content types. An attacker can execute arbitrary scripts that impact the confidentiality, integrity, and availability of the XWiki installation by inserting malicious scripts into these properties, which are then executed after an edit by a user with higher privileges.

CVSS Base Scores

version 4.0
version 3.1