XWiki Platform Vulnerability Exposes User Password Hashes
CVE-2025-54124

7.1HIGH

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 6 August 2025

What is CVE-2025-54124?

The XWiki Platform contains a vulnerability that allows users with editing rights to create an XClass that references a database list property linked to a password property. When adding an object of that XClass, the content of the password property becomes visible. This flaw permits any user with an account on the wiki to access password hashes for all users, as well as potentially other sensitive password properties visible to the user, undermining the security of user credentials.

Affected Version(s)

xwiki-platform >= 9.8-rc-1, < 16.4.7 < 9.8-rc-1, 16.4.7

xwiki-platform >= 16.5.0-rc-1, < 16.10.5 < 16.5.0-rc-1, 16.10.5

xwiki-platform >= 17.0.0-rc-1, < 17.2.0-rc-1 < 17.0.0-rc-1, 17.2.0-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/f2ca8649cb...

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-22811

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 6, 2025

Xwiki

What is CVE-2025-54124?

Affected Version(s)

References

CVSS V4

Timeline