Overview

The Common Vulnerabilities and Exposures (CVE) system has recently reported an alarming vulnerability, CVE-2025-32968, within the XWiki platform. XWiki is a widely used wiki platform used by businesses and organizations across the globe for collaborative work, information sharing, and document management. The vulnerability lies within its versions starting from 1.6-milestone-1 to before 15.10.16, 16.4.6, and 16.10.1. This vulnerability is significant because it allows for a blind SQL injection that could potentially compromise the system and lead to data leakage.

Vulnerability Summary

CVE ID: CVE-2025-32968
Severity: High (CVSS: 8.8)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: System compromise, data leakage

Affected Products

Product | Affected Versions

XWiki | 1.6-milestone-1 to 15.10.16
XWiki | 1.6-milestone-1 to 16.4.6
XWiki | 1.6-milestone-1 to 16.10.1

How the Exploit Works

The vulnerability works by allowing a user with SCRIPT rights to escape from the HQL execution context, subsequently enabling them to perform a blind SQL injection. This means that they can execute arbitrary SQL statements on the database backend. Depending on the database used, the attacker might not only gain access to confidential information like password hashes but can also execute UPDATE/INSERT/DELETE queries on the database.

Conceptual Example Code

Here is a conceptual example of how the vulnerability could be exploited:

SELECT * FROM users WHERE username = 'a' OR '1'='1'; --' and password = '...'

In this SQL injection example, the ‘OR ‘1’=’1′ statement always evaluates to true, thus returning all user records, thereby bypassing any password requirement. This is a simplified example, and the actual malicious payload would be more complex and tailored to the specific system being targeted.