CVE-2025-54124

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 9.8-rc-1 through 16.4.6 XWiki Platform versions 16.5.0-rc-1 through 16.10.4 XWiki Platform versions 17.0.0-rc-1 through 17.1.0

Description XWiki Platform Legacy Old Core and XWiki Platform Old Core allows any user with editing rights to create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of the password property is displayed, potentially exposing password hashes of all users and other password properties to any user with an account on the wiki.

Recommendations Update to XWiki Platform version 16.4.7 or later. Update to XWiki Platform version 16.10.5 or later. Update to XWiki Platform version 17.2.0-rc-1 or later.