CVE-2025-54124
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-09-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 9.8 (inc) to 16.4.7 (exc) |
| xwiki | xwiki | From 16.5.0 (inc) to 16.10.5 (exc) |
| xwiki | xwiki | From 17.0.0 (inc) to 17.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki Platform allows any user with editing rights to create an XClass with a database list property that references a password property. When an object of that XClass is added, the content of the password property is displayed. As a result, any user with an account on the wiki can access password hashes of all users and possibly other password properties stored in pages they can view.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of password hashes and possibly plaintext passwords to any user with an account on the wiki. This exposure can increase the risk of account compromise, unauthorized access, and potential further exploitation within the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade XWiki Platform to version 16.4.7, 16.10.5, 17.2.0-rc-1 or later, as these versions contain the fix for this vulnerability.