{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32972", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-14T21:47:11.455Z", "datePublished": "2025-04-30T14:54:58.945Z", "dateUpdated": "2025-04-30T15:17:31.398Z"}, "containers": {"cna": {"title": "The lesscss script service allows cache clearing without programming right", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e"}, {"name": "https://jira.xwiki.org/browse/XWIKI-22462", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-22462"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 6.1-milestone-1, < 15.10.12", "status": "affected"}, {"version": ">= 16.0.0-rc-1, < 16.4.3", "status": "affected"}, {"version": ">= 16.5.0-rc-1, < 16.8.0-rc-1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-30T14:54:58.945Z"}, "descriptions": [{"lang": "en", "value": "XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1."}], "source": {"advisory": "GHSA-rp38-24m3-rx87", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://jira.xwiki.org/browse/XWIKI-22462", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-30T15:17:27.713068Z", "id": "CVE-2025-32972", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:17:31.398Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32972", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-30T15:17:27.713068Z"}}}], "references": [{"url": "https://jira.xwiki.org/browse/XWIKI-22462", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-30T15:17:23.531Z"}}], "cna": {"title": "The lesscss script service allows cache clearing without programming right", "source": {"advisory": "GHSA-rp38-24m3-rx87", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"status": "affected", "version": ">= 6.1-milestone-1, < 15.10.12"}, {"status": "affected", "version": ">= 16.0.0-rc-1, < 16.4.3"}, {"status": "affected", "version": ">= 16.5.0-rc-1, < 16.8.0-rc-1"}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87", "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e", "name": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e", "tags": ["x_refsource_MISC"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-22462", "name": "https://jira.xwiki.org/browse/XWIKI-22462", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-30T14:54:58.945Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32972", "state": "PUBLISHED", "dateUpdated": "2025-04-30T15:17:31.398Z", "dateReserved": "2025-04-14T21:47:11.455Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-30T14:54:58.945Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "958763F1-0CC0-4BAD-B1C9-211EDDBF225E", "versionEndExcluding": "15.10.12", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B04B1AC-349C-45AC-804F-6C020283508B", "versionEndExcluding": "16.4.3", "versionStartIncluding": "16.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "019584A5-91D6-4548-B8EF-BD8010C8C90D", "versionEndExcluding": "16.8.0", "versionStartIncluding": "16.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.1:-:*:*:*:*:*:*", "matchCriteriaId": "CB1892AA-3410-41EA-B45A-1E7EEB6D354D", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.1:milestone1:*:*:*:*:*:*", "matchCriteriaId": "347BCA66-59DB-4AFE-81AC-CBBC16A9D2C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.1:milestone2:*:*:*:*:*:*", "matchCriteriaId": "52DBE10F-1F55-46AD-9D47-5C05FAB85777", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "DE2A8246-5889-4BC6-AF65-F19BBAB094C6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1."}, {"lang": "es", "value": "XWiki es una plataforma wiki gen\u00e9rica. En versiones desde la 6.1-milestone-1 hasta anteriores a la 15.10.12, desde la 16.0.0-rc-1 hasta anteriores a la 16.4.3, y desde la 16.5.0-rc-1 hasta anteriores a la 16.8.0-rc-1, la API de scripts del compilador LESS en XWiki verifica incorrectamente los permisos al llamar a la API de limpieza de cach\u00e9, lo que permite limpiar la cach\u00e9 sin tener permisos de programaci\u00f3n. El \u00fanico impacto es una ralentizaci\u00f3n en la ejecuci\u00f3n de XWiki al rellenar las cach\u00e9s. Dado que esta vulnerabilidad requiere permisos de script para explotarse, y estos permisos ya permiten la ejecuci\u00f3n ilimitada de scripts, el impacto adicional es bajo. Este problema se ha corregido en las versiones 15.10.12, 16.4.3 y 16.8.0-rc-1."}], "id": "CVE-2025-32972", "lastModified": "2025-05-13T15:05:07.237", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-30T15:16:01.680", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xwiki/xwiki-platform/commit/91752122d8782f171f8728004a57bdaefc34253e"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rp38-24m3-rx87"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Issue Tracking"], "url": "https://jira.xwiki.org/browse/XWIKI-22462"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Issue Tracking"], "url": "https://jira.xwiki.org/browse/XWIKI-22462"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}