CVE-2025-54125
BaseFortify
Publication date: 2025-08-06
Last updated on: 2025-09-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 1.1 (inc) to 16.4.7 (exc) |
| xwiki | xwiki | From 16.5.0 (inc) to 16.10.5 (exc) |
| xwiki | xwiki | From 17.0.0 (inc) to 17.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki Platform affects certain versions where the XML export of a page, which can be triggered by any user with view rights by appending ?xpage=xml to the URL, includes password and email properties stored on a document that are not explicitly named password or email. This means sensitive information can be exposed unintentionally through the XML export feature. The issue is fixed in versions 16.4.7, 16.10.5, and 17.2.0-rc-1. As a workaround, the XML export template file can be deleted if XML export is not needed.
How can this vulnerability impact me? :
This vulnerability can lead to unintended exposure of sensitive information such as passwords and email addresses to any user with view rights on a page, potentially allowing unauthorized access or data leakage. Since the XML export includes these sensitive properties, attackers or unauthorized users could retrieve confidential data without needing additional privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could negatively impact compliance with data protection standards and regulations such as GDPR and HIPAA because it exposes sensitive personal information (passwords and emails) without proper authorization. Such unauthorized disclosure of personal data may violate privacy and security requirements mandated by these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your XWiki Platform version is within the affected ranges (1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0). Additionally, you can test if appending '?xpage=xml' to a page URL returns XML data containing password and email properties that are not named 'password' or 'email'. There are no specific commands provided to detect this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading XWiki Platform to versions 16.4.7, 16.10.5, or 17.2.0-rc-1 or later where the issue is fixed. If upgrading is not possible immediately, you can delete the file 'templates/xml.vm' from the deployed WAR file to disable the XML export feature, which is not required by any XWiki feature.