SCA: security update for org.xwiki.platform:xwiki-platform-lesscss-script (GHSA-rp38-24m3-rx87)

medium Tenable Cloud Security Plugin ID 434734

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from
16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS
compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it
possible to clean the cache without having programming right. The only impact of this is a slowdown in
XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and
script right already allows unlimited execution of scripts, the additional impact due to this
vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.
(CVE-2025-32972)

See Also

https://github.com/advisories/GHSA-rp38-24m3-rx87

Plugin Details

Severity: Medium

ID: 434734

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2025-32972

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/29/2025

Vulnerability Publication Date: 4/29/2025

Reference Information

CVE: CVE-2025-32972

cwe: CWE-285