CVE-2025-29924

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gq32-758c-3wm3	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22640	Issue Tracking Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22640	Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

History

30 Apr 2025, 15:58

Type	Values Removed	Values Added
Summary		(es) XWiki Platform es una plataforma wiki genérica. Antes de las versiones 15.10.14, 16.4.6 y 16.10.0-rc-1, un usuario podía acceder a información privada a través de la API REST, aunque también a través de otra API, cuando una subwiki utilizaba la opción "Impedir que usuarios no registrados vean páginas". La vulnerabilidad solo afecta a las subwikis y afecta únicamente a opciones de permisos específicas, como "Impedir que usuarios no registrados vean páginas" o "Impedir que usuarios no registrados editen páginas". Es posible detectar la vulnerabilidad activando la opción "Impedir que usuarios no registrados vean páginas" e intentando acceder a una página a través de la API REST sin usar credenciales. La vulnerabilidad se ha corregido en XWiki 15.10.14, 16.4.6 y 16.10.0RC1.
References	~~() https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e -~~	() https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gq32-758c-3wm3 -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gq32-758c-3wm3 - Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-22640 -~~	() https://jira.xwiki.org/browse/XWIKI-22640 - Issue Tracking, Vendor Advisory
CPE		cpe:2.3:a:xwiki:xwiki::::::::
First Time		Xwiki xwiki Xwiki
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-863

19 Mar 2025, 20:15

Type	Values Removed	Values Added
References	~~() https://jira.xwiki.org/browse/XWIKI-22640 -~~	() https://jira.xwiki.org/browse/XWIKI-22640 -

19 Mar 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-19 18:15

Updated : 2025-04-30 15:58

NVD link : CVE-2025-29924

Mitre link : CVE-2025-29924

CVE.ORG link : CVE-2025-29924

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-269

Improper Privilege Management

CWE-863

Incorrect Authorization

7.5 /10