icon

We found results for “

CVE-2025-29925

Good to know:

icon

Date: March 19, 2025

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

Severity Score

Severity Score

Weakness Type (CWE)

Transmission of Private Resources into a New Sphere ('Resource Leak')

CWE-402

Top Fix

icon

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-rest-server:16.10.0;org.xwiki.platform:xwiki-platform-rest-server:16.4.6;org.xwiki.platform:xwiki-platform-rest-server:15.10.14;org.xwiki.platform:xwiki-platform-rest-server:15.10.14;org.xwiki.platform:xwiki-platform-rest-server:16.4.6;org.xwiki.platform:xwiki-platform-rest-server:16.10.0-rc-1;https://github.com/xwiki/xwiki-platform.git - 16.10.0;https://github.com/xwiki/xwiki-platform.git - 16.4.6;https://github.com/xwiki/xwiki-platform.git - 15.10.14

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us