8.6

CVSS Score

Basic Information

CVE ID

CVE-2025-32968

GHSA ID

GHSA-g9jj-75mx-wjcx

EPSS Score

CWE

CWE-89

Published

4/23/2025

Updated

4/23/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32968

CVE-2025-32968:
org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API

Impact

It is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend.

Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

The vulnerability may be tested in a default installation of XWIki Standard Flavor, including using the official Docker containers.

For example, with a MySQL or MariaDB database, you can use the following script (which a user having SCRIPT right but not PROGRAMMING right) to get the content of the xwikistrings table (which contain all the short string fields stored in objects, including passwords):

{{velocity}}
$services.query.hql("where 1<>'1\'' union select concat(XWS_NAME, XWS_VALUE) from xwikistrings #'").execute()
{{/velocity}}

Patches

This has been patched in 16.10.1, 16.4.6 and 15.10.16.

Workarounds

There is no known workaround, other than upgrading XWiki.

The protection added to this REST API is the same as the one used to validate complete select queries, making it more consistent. However, while the script API always had this protection for complete queries, it's important to note that it's a very strict protection and some valid, but complex, queries might suddenly require the author to have programming right.

References

https://jira.xwiki.org/browse/XWIKI-22718

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

8.6

CVSS Score

Basic Information

CVE ID

CVE-2025-32968

GHSA ID

GHSA-g9jj-75mx-wjcx

EPSS Score

CWE

CWE-89

Published

4/23/2025

Updated

4/23/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 1.6-milestone-1, < 15.10.16	15.10.16
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 16.0.0-rc-1, < 16.4.6	16.4.6
org.xwiki.platform:xwiki-platform-oldcore	maven	>= 16.5.0-rc-1, < 16.10.1	16.10.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows SQL injection through the script query API, specifically when using short-form HQL select queries. The provided exploit example uses $services.query.hql("...").execute(). The commit 28af3e62d0c49d999a4a9998155eed852b88765f directly addresses this (XWIKI-22718) by modifying com.xpn.xwiki.store.hibernate.query.HqlQueryExecutor.java. The key changes are in the isSafeSelect method, which previously did not adequately validate short-form HQL queries. The patch ensures these queries are converted to a complete form via toCompleteShortForm before being validated by HqlQueryUtils.isSafe(). The execute method of HqlQueryExecutor is the entry point for query execution and calls checkAllowed, which in turn uses isSafeSelect. Therefore, execute, checkAllowed, and isSafeSelect in HqlQueryExecutor are central to the vulnerability and its fix. The QueryScriptService#hql method (or its equivalent) is the initial script API entry point for the malicious HQL, but the core flaw and fix are within HqlQueryExecutor.java, making those functions higher confidence for direct vulnerability involvement based on the patch. The QueryScriptService#hql is an entry point but its direct code wasn't shown as modified in the specific patch for XWIKI-22718, hence it's included with medium confidence as part of the exploitation chain but not the direct location of the patched flaw itself based on the commit diff for XWIKI-22718

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It is possi*l* *or * us*r wit* S*RIPT ri**t to *s**p* *rom t** *QL *x**ution *ont*xt *n* p*r*orm * *lin* SQL inj**tion to *x**ut* *r*itr*ry SQL st*t*m*nts on t** **t***s* ***k*n*. **p*n*in* on t** us** **t***s* ***k*n*, t** *tt**k*r m*y

Reasoning

T** vuln*r**ility *llows SQL inj**tion t*rou** t** s*ript qu*ry *PI, sp**i*i**lly w**n usin* s*ort-*orm *QL s*l**t qu*ri*s. T** provi*** *xploit *x*mpl* us*s `$s*rvi**s.qu*ry.*ql("...").*x**ut*()`. T** *ommit `****************************************

8.6

Basic Information

Concerned about an active attack path?

CVE-2025-32968: org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API

Impact

Patches

Workarounds

References

For more information

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-32968:
org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API

Vulnerability Intelligence
Miggo AI