CVE-2025-54125

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22810	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22810	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::

History

02 Sep 2025, 19:24

Type	Values Removed	Values Added
References	~~() https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59 -~~	() https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59 - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3 -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3 - Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-22810 -~~	() https://jira.xwiki.org/browse/XWIKI-22810 - Vendor Advisory
CPE		cpe:2.3:a:xwiki:xwiki::::::::
First Time		Xwiki Xwiki xwiki
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

06 Aug 2025, 21:15

Type	Values Removed	Values Added
References	~~() https://jira.xwiki.org/browse/XWIKI-22810 -~~	() https://jira.xwiki.org/browse/XWIKI-22810 -

06 Aug 2025, 20:23

Type	Values Removed	Values Added
Summary		(es) XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones desarrolladas sobre ella. En las versiones 1.1 a 16.4.6, 16.5.0-rc-1 a 16.10.4 y 17.0.0-rc-1 a 17.1.0 de XWiki Platform Legacy Old Core y XWiki Platform Old Core, la exportación XML de una página en XWiki, que puede ser activada por cualquier usuario con permisos de visualización añadiendo ?xpage=xml a la URL, incluye propiedades de contraseña y correo electrónico almacenadas en un documento que no se denominan contraseña ni correo electrónico. Esto se solucionó en las versiones 16.4.7, 16.10.5 y 17.2.0-rc-1. Para solucionar este problema, se puede eliminar el archivo templates/xml.vm del WAR implementado si no se necesita el XML. No hay ninguna función en XWiki que dependa de la exportación XML.

06 Aug 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-06 00:15

Updated : 2025-09-02 19:24

NVD link : CVE-2025-54125

Mitre link : CVE-2025-54125

CVE.ORG link : CVE-2025-54125

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

6.5 /10