logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-29925 org.xwiki.platform:xwiki-platform-rest-server

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-rest-server
Vulnerable Version: >=1.9m1 <15.10.14 || >=16.0.0-rc-1 <16.4.6 || >=16.5.0-rc-1 <16.10.0-rc-1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00657 pctl0.70148

Details

XWiki allows unregistered users to access private pages information through REST endpoint ### Impact Protected pages are listed when requesting the REST endpoints `/rest/wikis/[wikiName]/pages` even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639). ### Patches The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights. ### Workarounds There's no workaround except upgrading or applying manually the changes of the commits (see references) in `xwiki-platform-rest-server` and recompiling / rebuilding it. ### References * Original JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22630 * Related JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22639 * Commits of the patch: https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206 and https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Metadata

Created: 2025-03-19T20:34:43Z
Modified: 2025-03-19T20:34:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-22q5-9phm-744v/GHSA-22q5-9phm-744v.json
CWE IDs: ["CWE-402"]
Alternative ID: GHSA-22q5-9phm-744v
Finding: F067
Auto approve: 1