CVE-2025-32429
XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter
In short
XWiki's deleted documents page allows attackers to inject malicious SQL commands through the sort parameter, potentially exposing or manipulating sensitive database information without authentication.
Technical detail
SQL injection vulnerability in getdeleteddocuments.vm template where the sort parameter is directly embedded into ORDER BY clauses without sanitization. Affects unauthenticated users; exploitation requires network access to the XWiki instance. Impact includes unauthorized data access, modification, or deletion from the underlying database.
Summary generated and translated by AI from the official description.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
xwiki · xwiki-platformpublic PoCs found — 4
githubgithub.com/byteReaper77/CVE-2025-32429★ 10githubgithub.com/amir-othman/CVE-2025-32429★ 0githubgithub.com/imbas007/CVE-2025-32429-Checker★ 0exploitdbwww.exploit-db.com/exploits/52384unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/xwiki/xwiki-platform/commit/dfd0744e9c18d24ac66a0d261dc6cafd1c209101https://github.com/xwiki/xwiki-platform/commit/f502b5d5fd36284a50890ad26d168b7d8dc80bd3https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vr59-gm53-v7cqhttps://jira.xwiki.org/browse/XWIKI-23093