CVE-2025-32430: 
Java vulnerability analysis and mitigation

CVE-2025-32430 affects XWiki Platform, a generic wiki platform offering runtime services for applications. The vulnerability was discovered in versions ranging from 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5, and 17.0.0-rc-1 through 17.2.2. The issue was disclosed on August 5, 2025, and involves reflected XSS vulnerabilities in two templates (GitHub Advisory).

The vulnerability consists of two reflected Cross-Site Scripting (XSS) vulnerabilities present in two templates of the XWiki Platform. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v4.0 score of 6.5 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (GitHub Advisory, NVD).

When successfully exploited, the vulnerability allows attackers to execute malicious JavaScript code in the context of the victim's session. This can be achieved by getting the victim to visit an attacker-controlled URL. The impact extends to both authenticated and unauthenticated users, including those with administrative privileges, potentially allowing attackers to perform arbitrary actions using the victim's permissions (GitHub Advisory).

The vulnerabilities have been patched in XWiki versions 16.4.8, 16.10.6, and 17.3.0-rc-1 by adding proper escaping in the affected templates. For users unable to upgrade immediately, a workaround is available by manually patching the WAR with the same changes as in the original patch (GitHub Advisory).

The vulnerabilities were initially reported by security researchers from Positive Technologies. Aleksey Solovev reported the jobstatusjson vulnerability as an 'Unauth Reflected XSS', while Evgeny Kopytin reported the distribution template vulnerability as an 'Auth Admin Reflected XSS' (GitHub Advisory).