Vulnerability in XWiki Platform Allows Unauthorized Message Access
CVE-2025-32783

4.7MEDIUM

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 16 April 2025

Summary

A security flaw in the XWiki Platform affects versions 5.0 to 16.7.1, specifically impacting users with the Message Stream feature enabled. When a subwiki is configured as closed and the option 'Prevent unregistered users from viewing pages' is selected, messages intended for 'everyone' in the subwiki are exposed to the main wiki's visitors. This means unauthorized users can view these messages via the Dashboard, compromising the privacy of the closed subwiki. As the Message Stream feature has been deprecated in version 16.8.0RC1, no patch will be issued. Users are advised to disable the Message Stream by default in the Administration settings under Social.

Affected Version(s)

xwiki-platform >= 5.0, <= 16.7.1

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://jira.xwiki.org/browse/XWIKI-17154

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 16, 2025