CVE-2025-29924

EPSS 0.37%
Veröffentlicht 19.03.2025 17:31:09
Zuletzt bearbeitet 30.04.2025 15:58:41
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

XWiki uses the wrong wiki reference in AuthorizationManager

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 6.1 < 15.10.14

Xwiki ≫ Xwiki Version >= 16.0.0 < 16.4.6

Xwiki ≫ Xwiki Version >= 16.5.0 <= 16.10.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.37%	0.287

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gq32-758c-3wm3

Vendor Advisory

https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e

Patch

https://jira.xwiki.org/browse/XWIKI-22640

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-29924

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-29924

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-29924

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-29924