CVE-2025-65090
Information Disclosure in XWiki Full Calendar Macro Before
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xwiki | macro-fullcalendar | to 2.4.5 (inc) |
| xwiki | macro-fullcalendar | 2.4.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes unauthorized exposure of sensitive database information, including user emails, to any user with view rights, including guest users. Such data leakage can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information. Although passwords are not exposed, the leakage of other personal data could violate privacy and security requirements mandated by these standards. [2, 3]
Can you explain this vulnerability to me?
CVE-2025-65090 is a vulnerability in the XWiki macro-fullcalendar extension prior to version 2.4.6. It allows users who can view the Calendar.JSONService page, including guest users without privileges, to access sensitive database information such as user emails, except passwords. This happens due to improper access control and information disclosure in the JSON service handling calendar data. The vulnerability was fixed by adding strict checks on which fields can be accessed and returned, validating CSRF tokens, sanitizing output, and logging unauthorized access attempts. [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information stored in the XWiki database, such as user emails. Since guest users or any users with view rights to the Calendar.JSONService page can exploit this, it poses a privacy risk and could potentially be used for further attacks like phishing. However, passwords are not exposed. The vulnerability does not affect data integrity or availability but can compromise confidentiality. [3, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Calendar.JSONService page is accessible to users, including guest users, without proper access control. Since the vulnerability allows unauthorized users to retrieve sensitive database information (excluding passwords) via this JSON service, you can attempt to access the Calendar.JSONService endpoint on your XWiki instance to see if data is exposed. For example, you can use curl to make a request to the JSON service endpoint and observe the response: curl -i http://<your-xwiki-domain>/xwiki/bin/view/Calendar.JSONService If the response contains sensitive data such as user emails or other database information, the system is vulnerable. Additionally, monitoring logs for unauthorized access attempts or warnings related to field access (as introduced in the patch) can help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the XWiki macro-fullcalendar extension to version 2.4.6 or later, where the vulnerability has been patched. If upgrading is not immediately possible, a recommended workaround is to remove or restrict access to the Calendar.JSONService page to prevent unauthorized users, including guests, from viewing it. This may impact some calendar functionalities but will prevent data leakage. Additionally, ensure that CSRF token validation and strict property access controls are enforced as per the patch details. [2, 3]