CVE-2025-32970
published 2025-04-30CVE-2025-32970: XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before…
PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.54%
41.2th percentile
XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 13.5 < 15.10.13 | 15.10.13 |
| xwiki | xwiki | >= 16.0.0 < 16.4.4 | 16.4.4 |
| xwiki | xwiki | >= 16.5.0 < 16.8.0 | 16.8.0 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://oast.me↗
sigma↗
detection: http_response_header Location matching regex (?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$
- →The open redirect is triggered via the `xerror` query parameter in the HTML conversion request filter endpoint. Monitor GET requests to /xwiki/bin/view/ paths that include both `RequiresHTMLConversion` and `xerror` parameters where `xerror` contains an external URL. ↗
- →Detection should look for HTTP 3xx redirect responses from XWiki where the `Location` header points to an external domain not belonging to the XWiki instance, triggered by requests containing `RequiresHTMLConversion` and `xerror` parameters. ↗
- →Shodan and FOFA fingerprinting for exposed XWiki instances can use the attribute `data-xwiki-reference` present in page HTML to identify targets. ↗
- →The vulnerability exists in XWiki versions 13.5-rc-1 through 15.10.12, 16.0.0-rc-1 through 16.4.3, and 16.5.0-rc-1 through 16.7.x. Prioritize detection/patching on instances running these version ranges. ↗
- ·The `xerror` parameter is the specific attack vector for this open redirect. Any WAF or filtering rule must block or sanitize external URLs supplied to `xerror` in conjunction with `RequiresHTMLConversion` requests. ↗
- ·The Nuclei template also checks for `text/javascript` in the response header as a secondary matcher, which may help reduce false positives when hunting for this specific redirect behavior. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
ghsa·2025-04-29
CVE-2025-32970 [MEDIUM] CWE-601 org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
### Impact
An open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirect to any URL. To reproduce, open `/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com/` where `` is the URL of your XWiki installation.
### Patches
This bug has been fixed in XWiki 15.10.13, 16.4.4 and 16.8.0 by validating the domain of the redirect URL against the configured safe domains and the current request's domain.
### Workarounds
A web application firewall could be configured to reject requests with the `xerror` parameter as from our analysis this parameter isn't used anymore. For requests with the `Requir
OSV
org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
osv·2025-04-29
CVE-2025-32970 [MEDIUM] org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
org.xwiki.platform:xwiki-platform-wysiwyg-api Open Redirect vulnerability
### Impact
An open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirect to any URL. To reproduce, open `/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com/` where `` is the URL of your XWiki installation.
### Patches
This bug has been fixed in XWiki 15.10.13, 16.4.4 and 16.8.0 by validating the domain of the redirect URL against the configured safe domains and the current request's domain.
### Workarounds
A web application firewall could be configured to reject requests with the `xerror` parameter as from our analysis this parameter isn't used anymore. For requests with the `Requir
VulnCheck
xwiki xwiki URL Redirection to Untrusted Site ('Open Redirect')
vulncheck·2025·CVSS 6.1
CVE-2025-32970 [MEDIUM] xwiki xwiki URL Redirection to Untrusted Site ('Open Redirect')
xwiki xwiki URL Redirection to Untrusted Site ('Open Redirect')
XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.
Affected: xwiki xwiki
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-32970
No detection rules found.
Nuclei
XWiki WYSIWYG API - Open Redirect
nuclei·CVSS 6.1
CVE-2025-32970 [MEDIUM] XWiki WYSIWYG API - Open Redirect
XWiki WYSIWYG API - Open Redirect
A vulnerability in XWiki's WYSIWYG API allows an attacker to redirect users to arbitrary external URLs through the xerror parameter. This could be used in phishing attacks to redirect users to malicious websites.
Template:
id: CVE-2025-32970
info:
name: XWiki WYSIWYG API - Open Redirect
author: ritikchaddha
severity: medium
description: |
A vulnerability in XWiki's WYSIWYG API allows an attacker to redirect users to arbitrary external URLs through the xerror parameter. This could be used in phishing attacks to redirect users to malicious websites.
impact: |
Attackers can redirect users to malicious external websites through the xerror parameter, potentially enabling phishing attacks and credential theft.
remediation: |
Upgrade to the latest XWiki versi
No writeups or analysis indexed.
2025-04-30
Published
Exploited in the wild