How CVE-2025-32968 Works
This vulnerability affects XWiki versions 1.6-milestone-1 through 15.10.15, 16.4.5, and 16.10.0. Attackers with SCRIPT rights can bypass HQL (Hibernate Query Language) restrictions and inject malicious SQL queries. The flaw occurs due to insufficient input validation in REST API endpoints, allowing attackers to escape the HQL context and execute arbitrary SQL commands. Depending on the database backend, attackers can extract sensitive data (e.g., password hashes) or manipulate data via UPDATE/INSERT/DELETE queries. The vulnerability is patched in versions 15.10.16, 16.4.6, and 16.10.1.
DailyCVE Form
Platform: XWiki
Version: 1.6-milestone-1 to 16.10.0
Vulnerability: Blind SQL Injection
Severity: Critical
Date: 04/23/2025
What Undercode Say:
Exploitation Analysis
- Exploit Vector: Abuse SCRIPT rights to inject SQL via REST API.
- Impact: Data theft, privilege escalation, RCE (if DB supports it).
3. Proof of Concept (PoC):
POST /rest/wikis/xwiki/spaces/Main/pages/WebHome HTTP/1.1
Host: vulnerable-xwiki.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic [bash]
query=EXEC%20xp_cmdshell('whoami')--
Protection Measures
- Patch: Upgrade to XWiki ≥ 15.10.16, 16.4.6, or 16.10.1.
- WAF Rules: Block HQL/SQL keywords in REST requests.
3. Database Hardening:
REVOKE EXECUTE ON xp_cmdshell FROM PUBLIC;
Detection Commands
1. Log Analysis:
grep -E "HQL|SQLi" /var/log/xwiki/application.log
2. Database Audit:
SELECT FROM pg_stat_activity WHERE query LIKE '%EXEC%';
Mitigation Script
Check XWiki version
import requests
response = requests.get("http://xwiki-host/xwiki/bin/view/Main/WebHome")
if "XWiki 15.10.15" in response.text:
print("Vulnerable! Patch immediately.")
References
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
