SCA: security update for org.xwiki.platform:xwiki-platform-component-wiki (GHSA-x7wv-5qg4-vmr6)

critical Tenable Cloud Security Plugin ID 434635

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.12, from 16.0.0-rc-1
to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, when a user with programming rights edits a
document in XWiki that was last edited by a user without programming rights and contains an
XWiki.ComponentClass, there is no warning that this will grant programming rights to this object. An
attacker who created such a malicious object could use this to gain programming rights on the wiki. For
this, the attacker needs to have edit rights on at least one page to place this object and then get an
admin user to edit that document. This issue has been patched in versions 15.10.12, 16.4.3, and
16.8.0-rc-1. (CVE-2025-32973)

See Also

https://github.com/advisories/GHSA-x7wv-5qg4-vmr6

Plugin Details

Severity: Critical

ID: 434635

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.35

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-32973

CVSS v3

Risk Factor: Critical

Base Score: 9

Temporal Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/29/2025

Vulnerability Publication Date: 4/29/2025

Reference Information

CVE: CVE-2025-32973

cwe: CWE-862