Access Control Vulnerability in XWiki Platform Affecting User Privacy
CVE-2025-29924

8.7HIGH

Key Information:

Vendor
Xwiki
Vendor
CVE Published:
19 March 2025

Summary

An access control vulnerability exists in XWiki Platform affecting specific configurations where subwikis permit settings like 'Prevent unregistered users to view pages'. This flaw enables unauthorized users to access private information through the REST API, thereby compromising user privacy. The vulnerability is particularly relevant when tailored configurations are in place, and has been rectified in versions 15.10.14, 16.4.6, and 16.10.0-rc-1.

Affected Version(s)

xwiki-platform >= 6.1-rc-1, < 15.10.14 < 6.1-rc-1, 15.10.14

xwiki-platform >= 16.0.0-rc-1, < 16.4.6 < 16.0.0-rc-1, 16.4.6

xwiki-platform >= 16.5.0-rc-1, < 16.10.0-rc-1 < 16.5.0-rc-1, 16.10.0-rc-1

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.