CVE-2025-49584
BaseFortify
Publication date: 2025-06-13
Last updated on: 2025-09-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 10.9 (inc) to 16.4.7 (exc) |
| xwiki | xwiki | From 16.5.0 (inc) to 16.10.3 (exc) |
| xwiki | xwiki | 17.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-49584 is a vulnerability in the XWiki platform's REST API that allows an attacker to access the titles of any page whose reference is known, even if the page itself is not accessible. This happens because the REST API exposes page titles without proper authorization checks, as long as an XClass with a page property is accessible (which is the default). The vulnerability enables unauthorized information disclosure by leaking page titles one per request. It does not affect fully private wikis because the REST endpoint checks access rights on the XClass definition. The issue was fixed by adding strict access control checks before returning page titles. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to obtain the titles of pages in your XWiki installation, potentially exposing sensitive information if page titles are meaningful or sensitive. The impact on confidentiality depends on how page names and titles are used; if page names are obfuscated to protect sensitive titles, the risk is higher. The vulnerability can be exploited remotely without any privileges or user interaction, making it a significant information disclosure risk. However, it does not affect the integrity or availability of the system. [2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by attempting to access page titles through the XWiki REST API without proper authorization. For example, using curl to request page titles for known page references and checking if titles are returned without authentication or authorization. A sample command might be: curl -X GET "https://your-xwiki-instance/rest/wikis/xwiki/spaces/{space}/pages/{page}/title" -v. If titles are accessible without proper rights, the system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade XWiki to a fixed version: 16.4.7, 16.10.3, or 17.0.0 or later, where access control checks have been added to the REST API to enforce VIEW rights before returning page titles. There are no known workarounds. Additionally, ensure that your wiki is configured as fully private if confidentiality is a concern, as fully private wikis are not affected. [2, 1]