SB2025043018 - Multiple vulnerabilities in XWiki platform

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2025-32974)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to the required rights analysis does not consider TextAreas with default content type. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2024-41947)

The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.

The vulnerability exists due to cross-site scripting in the conflict resolution popup when handling page edit conflicts. A remote user can modify a page to include a crafted JavaScript snippet to execute arbitrary JavaScript in another user's browser.

User interaction is required when another user saves the page, encounters a conflict popup, and selects "Fix each conflict individually".

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4r
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x
• https://github.com/advisories/GHSA-692v-783f-mg8x