PT-2025-47417 · Xwiki · Xwiki
Published
2025-11-18
·
Updated
2025-11-20
·
CVE-2025-65089
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
XWiki versions prior to 1.27.0
Description
A user lacking view permissions on a page may be able to access the content of an office attachment displayed using the view file macro. This occurs when an office attachment from a restricted page is displayed on a public page. A proof of concept demonstrates that a user with restricted view rights can view the attachment content despite lacking the necessary permissions. There are no known workarounds available.
Recommendations
Update to version 1.27.0 or later.
Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki