CVE-2025-54125

HIGH EPSS 64.6%
Published Aug 6, 202511mo ago · Modified Jun 17, 20262w ago
8.7 CVSS 4.0
High
Find Similar
Published Aug 6, 2025 11mo ago
Last Modified Jun 17, 2026 2w ago

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
64.6% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-359

Affected Products 3

VendorProductVersionRange
xwikixwiki*≥1.1  –  <16.4.7
xwikixwiki*≥16.5.0  –  <16.10.5
xwikixwiki*≥17.0.0  –  ≤17.1.0

References 3

  • github.com https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59
    Patch
  • github.com https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-57q2-6cp4-9mq3
    Vendor Advisory
  • jira.xwiki.org https://jira.xwiki.org/browse/XWIKI-22810
    Vendor Advisory

Remediation

  • github.com https://github.com/xwiki/xwiki-platform/commit/742ee3482ef6c2bd4ad03d0de9cdd81d0e8f3d59
    Patch