cbcvebase.
CVE-2025-29925
published 2025-03-19

CVE-2025-29925: XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints…

PriorityP180medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.91%
55.3th percentile
XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

Affected

6 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 1.9 < 15.10.1415.10.14
xwikixwiki>= 16.0.0 < 16.4.616.4.6
xwikixwiki16.5.0 – 16.10.0
xwikixwiki-platform
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

urlrest/wikis/xwiki/pages?space=
urlxwiki/rest/wikis/xwiki/pages?space=
other<pageSummary
other<pages
  • Probe both URL path variants for the XWiki REST pages endpoint (with and without leading 'xwiki/' prefix) using an unauthenticated GET request; a vulnerable instance returns HTTP 200 with Content-Type containing 'text/xml' or 'text/javascript' and a body containing all three XML tokens: '<pageSummary', '<pages', and '<xwikiRelativeUr'.
  • Shodan fingerprint for exposed XWiki instances: search for HTML attribute 'data-xwiki-reference' in page source.
  • FOFA fingerprint for exposed XWiki instances: search for body containing 'data-xwiki-reference'.
  • The vulnerability is exploitable without authentication (PR:N, UI:N per CVSS); no session or credentials are required to trigger the information disclosure via the REST pages endpoint.
  • The REST endpoint /rest/wikis/[wikiName]/pages leaks page listings even when the wiki is configured with 'Prevent unregistered user to view pages'; monitor for unauthenticated GET requests to this path pattern.
  • ·The disclosure only affects the main wiki endpoint; sub-wikis are not impacted by this specific bypass.
  • ·Patched versions (15.10.14, 16.4.6, 16.10.0RC1) still expose the endpoint but filter results based on page-level rights; detection rules should account for the endpoint remaining accessible post-patch.
  • ·The Nuclei template uses stop-at-first-match across two path payloads, so only one successful probe is needed to confirm vulnerability; both path variants should be tested independently in other tooling.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.