CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-32970: org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability

6.1 CVSS

Description

XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.

Classification

CVE ID: CVE-2025-32970

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem Types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Affected Products

Vendor: xwiki

Product: xwiki-platform

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 21.93% (scored less or equal to compared to others)

EPSS Date: 2025-05-29 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32970
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pjhg-9wr9-rj96
https://github.com/xwiki/xwiki-platform/commit/6dab7909f45deb00efd36a0cd47788e95ad64802
https://jira.xwiki.org/browse/XWIKI-22487

Timeline

2025-04-30 15:40:20 UTC
CVE

org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability