CVE-2025-54125

216.73.216.233

· Published 06/08/2025 00:15 · Modified 06/08/2025 21:15

Labels: CVE-2025-54125 2025-08-06 CVE-2025-54125 CWE-359 [email protected]

Essential information

Published: 06/08/2025 00:15
Modified: 06/08/2025 21:15
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
xwiki / xwiki platform	`cpe:2.3:a:xwiki:xwiki_platform:1.1-16.4.6:::::::*`
xwiki / xwiki platform	`cpe:2.3:a:xwiki:xwiki_platform:16.5.0-rc-1-16.10.4:::::::*`
xwiki / xwiki platform	`cpe:2.3:a:xwiki:xwiki_platform:17.0.0-rc-1-17.1.0:::::::*`