2.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32972

CVE-2025-32972: The lesscss script service allows cache clearing without programming right

Impact

The script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low.

Patches

This has been patched in XWiki 15.10.12, 16.4.3 and 16.8.0 RC1.

Workarounds

We're not aware of any workaround except for being careful whom to give script right, which is a general recommendation.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-32972

CVE-2025-32972:

2.7

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-lesscss-script	maven	>= 6.1-milestone-1, < 15.10.12	15.10.12
org.xwiki.platform:xwiki-platform-lesscss-script	maven	>= 16.0.0-rc-1, < 16.4.3	16.4.3
org.xwiki.platform:xwiki-platform-lesscss-script	maven	>= 16.5.0-rc-1, < 16.8.0-rc-1	16.8.0-rc-1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that the LESS compiler's script API incorrectly checked for rights when calling the cache cleaning API. The provided commit (91752122d8782f171f8728004a57bdaefc34253e) modifies three methods in LessCompilerScriptService.java: clearCache, clearCacheFromColorTheme, and clearCacheFromSkin. In each of these methods, the authorization check authorizationManager.hasAccess(Right.PROGRAM, xcontext.getDoc().getAuthorReference(), xcontext.getDoc().getDocumentReference()) was replaced with authorizationManager.hasAccess(Right.PROGRAM). This change indicates that the previous, more specific authorization check was the source of the vulnerability, allowing cache clearing without the necessary programming rights. The commit message also mentions using the 'contextual authorization manager' which supports this interpretation. Therefore, these three functions, with their original authorization checks, are identified as vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-32972: The lesscss script service allows cache clearing without programming right

Impact

Patches

Workarounds

CVE-2025-32972:

2.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

2.7

2.7

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-32972: The lesscss script service allows cache clearing without programming right

Impact

Patches

Workarounds

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI