PT-2025-25436 · Unknown · Xwiki Platform
Michael Hamann
·
Published
2024-12-17
·
Updated
2025-06-13
·
CVE-2025-49584
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions 10.9 through 16.4.6
XWiki Platform versions 16.5.0-rc-1 through 16.10.2
XWiki Platform versions 17.0.0-rc-1
Description
The issue affects XWiki, a generic wiki platform, where an attacker can access the title of every single page whose reference is known through the REST API, as long as an XClass with a page property is accessible. This is the default for an XWiki installation. The impact on confidentiality depends on the strategy for page names, with low impact if page names match the title, but potentially high impact if page names are intentionally obfuscated because the titles are sensitive.
Recommendations
For XWiki Platform versions 10.9 through 16.4.6, update to version 16.4.7.
For XWiki Platform versions 16.5.0-rc-1 through 16.10.2, update to version 16.10.3.
For XWiki Platform versions 17.0.0-rc-1, update to version 17.0.0.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform