CVE-2025-46554

April 30, 2025, 7:15 p.m.

5.3
Medium

Description

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0.

Product(s) Impacted

Vendor Product Versions
Xwiki
  • Xwiki
  • 1.8.1-*, 14.10.0-14.10.21, 15.0-rc-1-*, 15.10.0-15.10.11, 16.0.0-rc-1-*, 16.4.0-16.4.2, 16.5.0-rc-1-*, 16.7.0-*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a xwiki xwiki 1.8.1-* / / / / / /
a xwiki xwiki 14.10.0-14.10.21 / / / / / / /
a xwiki xwiki 15.0-rc-1-* / / / / / /
a xwiki xwiki 15.10.0-15.10.11 / / / / / / /
a xwiki xwiki 16.0.0-rc-1-* / / / / / /
a xwiki xwiki 16.4.0-16.4.2 / / / / / / /
a xwiki xwiki 16.5.0-rc-1-* / / / / / /
a xwiki xwiki 16.7.0-* / / / / / /

References

https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608
https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342
https://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e3856
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp
https://jira.xwiki.org/browse/XWIKI-22424

Tags

security-advisories@github.com
CWE-862
2025-04-30
CVE-2025-46554

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: April 30, 2025, 7:15 p.m.
Last Modified: April 30, 2025, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.