CVE-2025-32971
April 30, 2025
XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling "$xcontext.dropPermissions()". If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1.
Affected Packages
https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-16.0.0-rc-1 <xwiki-platform-16.4.4Fix Suggestion:
Update to version xwiki-platform-16.4.4https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-4.5.1 <xwiki-platform-15.10.13Fix Suggestion:
Update to version xwiki-platform-15.10.13https://github.com/xwiki/xwiki-platform.git (GITHUB):
Affected version(s) >=xwiki-platform-16.5.0-rc-1 <xwiki-platform-16.8.0Fix Suggestion:
Update to version xwiki-platform-16.8.0org.xwiki.platform:xwiki-platform-search-solr-api (JAVA):
Affected version(s) Fix Suggestion:
Update to version 15.10.13org.xwiki.platform:xwiki-platform-search-solr-api (JAVA):
Affected version(s) Fix Suggestion:
Update to version 16.4.4org.xwiki.platform:xwiki-platform-search-solr-api (JAVA):
Affected version(s) Fix Suggestion:
Update to version 16.8.0-rc-1org.xwiki.platform:xwiki-platform-search-solr-api (NEXUS):
Affected version(s) >=16.5.0-rc-1 <16.8.0-rc-1Fix Suggestion:
Update to version 16.8.0-rc-1org.xwiki.platform:xwiki-platform-search-solr-api (NEXUS):
Affected version(s) >=16.0.0-rc-1 <16.4.4Fix Suggestion:
Update to version 16.4.4org.xwiki.platform:xwiki-platform-search-solr-api (NEXUS):
Affected version(s) >=4.5.1 <15.10.13Fix Suggestion:
Update to version 15.10.13Related Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Incorrect Authorization
EPSS
Base Score:
0.04
