cbcvebase.
CVE-2025-32970
published 2025-04-30

CVE-2025-32970: XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before…

PriorityP179medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.54%
41.2th percentile
XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that redirects to any URL. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0.

Affected

7 ranges
VendorProductVersion rangeFixed in
xwikixwiki
xwikixwiki>= 13.5 < 15.10.1315.10.13
xwikixwiki>= 16.0.0 < 16.4.416.4.4
xwikixwiki>= 16.5.0 < 16.8.016.8.0
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://oast.me
path/xwiki/bin/view/Main/
sigma
detection: http_response_header Location matching regex (?m)^(?:Location\s*?:\s*?)(?:https?:\/\/|\/\/|\/\\\\|\/\\)?(?:[a-zA-Z0-9\-_\.@]*)oast\.me.*$
  • The open redirect is triggered via the `xerror` query parameter in the HTML conversion request filter endpoint. Monitor GET requests to /xwiki/bin/view/ paths that include both `RequiresHTMLConversion` and `xerror` parameters where `xerror` contains an external URL.
  • Detection should look for HTTP 3xx redirect responses from XWiki where the `Location` header points to an external domain not belonging to the XWiki instance, triggered by requests containing `RequiresHTMLConversion` and `xerror` parameters.
  • Shodan and FOFA fingerprinting for exposed XWiki instances can use the attribute `data-xwiki-reference` present in page HTML to identify targets.
  • The vulnerability exists in XWiki versions 13.5-rc-1 through 15.10.12, 16.0.0-rc-1 through 16.4.3, and 16.5.0-rc-1 through 16.7.x. Prioritize detection/patching on instances running these version ranges.
  • ·The `xerror` parameter is the specific attack vector for this open redirect. Any WAF or filtering rule must block or sanitize external URLs supplied to `xerror` in conjunction with `RequiresHTMLConversion` requests.
  • ·The Nuclei template also checks for `text/javascript` in the response header as a secondary matcher, which may help reduce false positives when hunting for this specific redirect behavior.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.