GHSA-rp38-24m3-rx87

Source

https://github.com/advisories/GHSA-rp38-24m3-rx87

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-rp38-24m3-rx87/GHSA-rp38-24m3-rx87.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rp38-24m3-rx87

Aliases

CVE-2025-32972

Published

2025-04-29T14:01:47Z

Modified

2025-04-30T17:29:25Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

The lesscss script service allows cache clearing without programming right

Details

Impact

The script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low.

Patches

This has been patched in XWiki 15.10.12, 16.4.3 and 16.8.0 RC1.

Workarounds

We're not aware of any workaround except for being careful whom to give script right, which is a general recommendation.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "LOW",
    "nvd_published_at": "2025-04-30T15:16:01Z",
    "github_reviewed_at": "2025-04-29T14:01:47Z"
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-lesscss-script

Package

Name: org.xwiki.platform:xwiki-platform-lesscss-script; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-lesscss-script

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1-milestone-1

Fixed

15.10.12

Maven / org.xwiki.platform:xwiki-platform-lesscss-script

Package

Name: org.xwiki.platform:xwiki-platform-lesscss-script; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-lesscss-script

Affected ranges

Type: ECOSYSTEM
Events: Introduced

16.0.0-rc-1

Fixed

16.4.3

Maven / org.xwiki.platform:xwiki-platform-lesscss-script

Package

Name: org.xwiki.platform:xwiki-platform-lesscss-script; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-lesscss-script

Affected ranges

Type: ECOSYSTEM
Events: Introduced

16.5.0-rc-1

Fixed

16.8.0-rc-1