logo

Database

Improper authorization control for web services In org.xwiki.platform:xwiki-platform-rest-server

Description

XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

Impact

Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.

To reproduce:

You get a list of attachments, while the expected result should be an empty list.

Patches

This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.

Workarounds

We're not aware of any workaround except upgrading.

References

For more information

If you have any questions or comments about this advisory:

Attribution

Issue reported by Lukas Monert.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-465542. NVD-2025-465543. OSV-2025-465544. GHSA-r5cr-xm48-97xp5. GCVE-2025-46554

References

1. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp2. https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae6083. https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e93424. https://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e38565. https://jira.xwiki.org/browse/XWIKI-224246. https://jira.xwiki.org/browse/XWIKI-224277. https://vulncheck.com/cve/CVE-2025-465548. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-46554.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.