CVE-2025-55747
BaseFortify
Publication date: 2025-09-03
Last updated on: 2025-09-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | xwiki | From 6.2 (inc) to 16.10.7 (exc) |
| xwiki | xwiki | From 17.0.0 (inc) to 17.3.0 (inc) |
| xwiki | xwiki | 6.1 |
| xwiki | xwiki | 6.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in XWiki Platform versions 6.1-milestone-2 through 16.10.6 allows configuration files to be accessed through the webjars API, potentially exposing sensitive configuration data. It was fixed in version 16.10.7.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to configuration files, which may contain sensitive information. This exposure can compromise the security of the system, potentially allowing attackers to gain insights into system settings or credentials, leading to further exploitation.
What immediate steps should I take to mitigate this vulnerability?
Upgrade XWiki Platform to version 16.10.7 or later, as this version fixes the vulnerability related to configuration files being accessible through the webjars API.