PT-2025-36627 — Relative Path Traversal in Maven Org.Xwiki.Platform:Xwiki-Platform-Skin-Skinx

PT-2025-36627 · Maven · Org.Xwiki.Platform:Xwiki-Platform-Skin-Skinx

Published

2025-09-03

Updated

2025-09-03

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Impact

It's possible to get access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false.

This can apparently be reproduced on Tomcat instances.

Patches

This has been patched in 17.4.0-rc-1, 16.10.7.

Workarounds

There is no known workaround, other than upgrading XWiki.

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

The vulnerability was reported by Gregor Neumann.

Fix

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23

Related Identifiers

GHSA-M63C-3RMG-R2CF

Affected Products

Org.Xwiki.Platform:Xwiki-Platform-Skin-Skinx