CVE-2025-32972

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Apr 30, 2025
Updated: May 13, 2025
CWE ID 285

Summary

CVE-2025-32972 is a vulnerability affecting XWiki versions 6.1-milestone-1 to before 15.10.12, 16.0.0-rc-1 to before 16.4.3, and 16.5.0-rc-1 to before 16.8.0-rc-1. It lies in the script API of the LESS compiler within XWiki, which incorrectly checks for rights when invoking the cache cleaning API. Consequently, a user with script right can clear the cache without proper authorization, leading to a performance issue as the caches are refilled. The impact of this vulnerability is relatively low since script right already grants extensive permissions. Patched versions include 15.10.12, 16.4.3, and 16.8.0-rc-1.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share