CVE-2025-29924

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 15.10.14 XWiki Platform versions prior to 16.4.6 XWiki Platform versions prior to 16.10.0-rc-1

Description The issue allows an user to access private information through the REST API when a sub wiki is using specific right options such as Prevent unregistered users to view pages or Prevent unregistered users to edit pages. This issue only affects subwikis. It's possible to detect the vulnerability by enabling Prevent unregistered users to view pages and then trying to access a page through the REST API without using any credentials.

Recommendations For versions prior to 15.10.14, update to version 15.10.14 or later. For versions prior to 16.4.6, update to version 16.4.6 or later. For versions prior to 16.10.0-rc-1, update to version 16.10.0-rc-1 or later. As a temporary workaround, consider disabling the Prevent unregistered users to view pages and Prevent unregistered users to edit pages options until a patch is applied. Restrict access to the REST API to minimize the risk of exploitation.