Critical severityNVD Advisory· Published Apr 30, 2025· Updated Apr 30, 2025
org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type
CVE-2025-32974
Description
XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page like a script macro that would gain more rights due to the editing. This analysis doesn't consider certain kinds of properties, allowing a user to put malicious scripts in there that will be executed after a user with script, admin, or programming rights edited the page. Such a malicious script could impact the confidentiality, integrity and availability of the whole XWiki installation. This issue has been patched in versions 15.10.8 and 16.2.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-security-requiredrights-defaultMaven | >= 15.9-rc-1, < 15.10.8 | 15.10.8 |
org.xwiki.platform:xwiki-platform-security-requiredrights-defaultMaven | >= 16.0.0-rc-1, < 16.2.0 | 16.2.0 |
Affected products
1- Range: >= 15.9-rc-1, < 15.10.8
Patches
1153dbfa2ef1aXWIKI-22002: Improve the required rights analysis of TextArea properties
2 files changed · +41 −3
xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-requiredrights/xwiki-platform-security-requiredrights-default/src/main/java/org/xwiki/platform/security/requiredrights/internal/analyzer/DefaultObjectRequiredRightAnalyzer.java+7 −3 modified@@ -154,6 +154,10 @@ protected List<RequiredRightAnalysisResult> analyzeTextAreaProperty(BaseObject o String contentTypeString = textAreaClass.getContentType(); TextAreaClass.ContentType contentType = TextAreaClass.ContentType.getByValue(contentTypeString); + if (contentType == null) { + // Default to wiki text like TextAreaClass does. + contentType = TextAreaClass.ContentType.WIKI_TEXT; + } PropertyInterface field = object.getField(propertyName); List<RequiredRightAnalysisResult> result = List.of(); @@ -162,7 +166,7 @@ protected List<RequiredRightAnalysisResult> analyzeTextAreaProperty(BaseObject o if (!textAreaClass.isRestricted() && field instanceof BaseStringProperty) { String value = ((BaseStringProperty) field).getValue(); - if (contentType != null && StringUtils.isNotBlank(value)) { + if (StringUtils.isNotBlank(value)) { switch (contentType) { case VELOCITY_CODE: result = analyzeVelocityScriptValue(value, field.getReference(), @@ -176,10 +180,10 @@ protected List<RequiredRightAnalysisResult> analyzeTextAreaProperty(BaseObject o result = analyzeWikiContent(object, value, field.getReference()); } break; - case WIKI_TEXT: - result = analyzeWikiContent(object, value, field.getReference()); + case PURE_TEXT: break; default: + result = analyzeWikiContent(object, value, field.getReference()); break; } }
xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-requiredrights/xwiki-platform-security-requiredrights-default/src/test/java/org/xwiki/platform/security/requiredrights/internal/analyzer/DefaultObjectRequiredRightAnalyzerTest.java+34 −0 modified@@ -153,6 +153,40 @@ void analyzeWithDefaultAnalyzer() assertEquals(testObject.getField(velocityWikiFieldName).getReference(), results.get(2).getEntityReference()); } + @Test + void analyzeDefaultTextArea() + throws XWikiException, RequiredRightsException, MissingParserException, ParseException + { + DocumentReference classReference = new DocumentReference("wiki", "XWiki", "StandardClass"); + XWikiDocument classDocument = new XWikiDocument(classReference); + BaseClass classObject = classDocument.getXClass(); + String wikiFieldName = "wiki"; + classObject.addTextAreaField(wikiFieldName, "Wiki", 80, 5, "---", "---", false); + this.oldcore.getSpyXWiki().saveDocument(classDocument, this.oldcore.getXWikiContext()); + + XWikiDocument testDocument = new XWikiDocument(new DocumentReference("wiki", "space", "page")); + Syntax testSyntax = mock(); + testDocument.setSyntax(testSyntax); + BaseObject testObject = testDocument.newXObject(classReference, this.oldcore.getXWikiContext()); + String wikiContent = "{{groovy}}{{/groovy}}"; + testObject.setLargeStringValue(wikiFieldName, wikiContent); + + XDOM wikiXDOM = new XDOM(List.of()); + when(this.contentParser.parse(wikiContent, testSyntax, testObject.getDocumentReference())).thenReturn(wikiXDOM); + + RequiredRightAnalysisResult wikiResult = mock(); + when(this.xdomRequiredRightAnalyzer.analyze(wikiXDOM)).thenReturn(List.of(wikiResult)); + + List<RequiredRightAnalysisResult> results = this.analyzer.analyze(testObject); + verify(this.xdomRequiredRightAnalyzer).analyze(wikiXDOM); + verifyNoMoreInteractions(this.xdomRequiredRightAnalyzer); + assertEquals(testObject.getField(wikiFieldName).getReference(), + wikiXDOM.getMetaData().getMetaData().get(XDOMRequiredRightAnalyzer.ENTITY_REFERENCE_METADATA)); + + assertEquals(wikiResult, results.get(0)); + } + + @Test void analyzeWithCustomAnalyzerThrowsException() throws XWikiException, RequiredRightsException {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mvgm-3rw2-7j4rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-32974ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/153dbfa2ef1a7a0a644fe3f889684c6a8738c5fcghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvgm-3rw2-7j4rghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-22002ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.