SCA: security update for org.xwiki.platform:xwiki-platform-rest-server (GHSA-f69v-xrj8-rhxf)

critical Tenable Cloud Security Plugin ID 434272

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and
16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and
perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when
"Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered
users from editing pages, regardless of the page rights" options are enabled. Depending on the used
database backend, the attacker may be able to not only obtain confidential information such as password
hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in
versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.
(CVE-2025-32969)

See Also

https://github.com/advisories/GHSA-f69v-xrj8-rhxf

Plugin Details

Severity: Critical

ID: 434272

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.77

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-32969

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/23/2025

Vulnerability Publication Date: 4/23/2025

Reference Information

CVE: CVE-2025-32969

cwe: CWE-89