Access Control Vulnerability in XWiki Platform Affecting User Privacy
CVE-2025-29924
8.7HIGH
Summary
An access control vulnerability exists in XWiki Platform affecting specific configurations where subwikis permit settings like 'Prevent unregistered users to view pages'. This flaw enables unauthorized users to access private information through the REST API, thereby compromising user privacy. The vulnerability is particularly relevant when tailored configurations are in place, and has been rectified in versions 15.10.14, 16.4.6, and 16.10.0-rc-1.
Affected Version(s)
xwiki-platform >= 6.1-rc-1, < 15.10.14 < 6.1-rc-1, 15.10.14
xwiki-platform >= 16.0.0-rc-1, < 16.4.6 < 16.0.0-rc-1, 16.4.6
xwiki-platform >= 16.5.0-rc-1, < 16.10.0-rc-1 < 16.5.0-rc-1, 16.10.0-rc-1
References
CVSS V4
Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved