CVE-2025-49594

EPSS 0.13%
Veröffentlicht 06.10.2025 14:48:43
Zuletzt bearbeitet 23.10.2025 14:15:36
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerxwiki-contrib

≫

Produkt oidc

Version >= 2.17.1, < 2.18.2

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.13%	0.334

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7

https://github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adb

https://jira.xwiki.org/browse/OIDC-240

https://www.vicarius.io/vsociety/posts/cve-2025-49594-detect-xwiki-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2025-49594-mitigate-xwiki-vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2025-49594

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49594

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49594

EUVD