CVE-2025-54125

Aug. 6, 2025, 9:15 p.m.

8.7
High

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

Product(s) Impacted

Vendor Product Versions
Xwiki
  • Xwiki Platform
  • 1.1-16.4.6, 16.5.0-rc-1-16.10.4, 17.0.0-rc-1-17.1.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-359
Exposure of Private Personal Information to an Unauthorized Actor
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a xwiki xwiki_platform 1.1-16.4.6 / / / / / / /
a xwiki xwiki_platform 16.5.0-rc-1-16.10.4 / / / / / / /
a xwiki xwiki_platform 17.0.0-rc-1-17.1.0 / / / / / / /

References

https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3
https://jira.xwiki.org/browse/XWIKI-22810
https://jira.xwiki.org/browse/XWIKI-22810

Tags

security-advisories@github.com
CWE-359
2025-08-06
CVE-2025-54125

CVSS Score

8.7 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Aug. 6, 2025, 12:15 a.m.
Last Modified: Aug. 6, 2025, 9:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.