Executive Summary

CVE-2025-65090 is a vulnerability in the XWiki macro-fullcalendar extension prior to version 2.4.6. It allows users who can view the Calendar.JSONService page, including guest users without privileges, to access sensitive database information such as user emails, except passwords. This happens due to improper access control and information disclosure in the JSON service handling calendar data. The vulnerability was fixed by adding strict checks on which fields can be accessed and returned, validating CSRF tokens, sanitizing output, and logging unauthorized access attempts. [2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored in the XWiki database, such as user emails. Since guest users or any users with view rights to the Calendar.JSONService page can exploit this, it poses a privacy risk and could potentially be used for further attacks like phishing. However, passwords are not exposed. The vulnerability does not affect data integrity or availability but can compromise confidentiality. [3, 2]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Calendar.JSONService page is accessible to users, including guest users, without proper access control. Since the vulnerability allows unauthorized users to retrieve sensitive database information (excluding passwords) via this JSON service, you can attempt to access the Calendar.JSONService endpoint on your XWiki instance to see if data is exposed. For example, you can use curl to make a request to the JSON service endpoint and observe the response: curl -i http://<your-xwiki-domain>/xwiki/bin/view/Calendar.JSONService If the response contains sensitive data such as user emails or other database information, the system is vulnerable. Additionally, monitoring logs for unauthorized access attempts or warnings related to field access (as introduced in the patch) can help detect exploitation attempts. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the XWiki macro-fullcalendar extension to version 2.4.6 or later, where the vulnerability has been patched. If upgrading is not immediately possible, a recommended workaround is to remove or restrict access to the Calendar.JSONService page to prevent unauthorized users, including guests, from viewing it. This may impact some calendar functionalities but will prevent data leakage. Additionally, ensure that CSRF token validation and strict property access controls are enforced as per the patch details. [2, 3]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes unauthorized exposure of sensitive database information, including user emails, to any user with view rights, including guest users. Such data leakage can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information. Although passwords are not exposed, the leakage of other personal data could violate privacy and security requirements mandated by these standards. [2, 3]

Useful 0 Not Useful 0