CVE-2025-46554
published 2025-04-30CVE-2025-46554: XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and…
PriorityP181medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.99%
58.0th percentile
XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 1.8.1 < 14.10.22 | 14.10.22 |
| xwiki | xwiki | >= 15.0 < 15.10.12 | 15.10.12 |
| xwiki | xwiki | >= 16.0.0 < 16.4.3 | 16.4.3 |
| xwiki | xwiki | >= 16.5.0 < 16.7.0 | 16.7.0 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlrest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
urlxwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
otherdata-xwiki-reference
- →Probe the XWiki REST attachments endpoint unauthenticated; a vulnerable instance returns HTTP 200 with a body containing '<attachments', '<item', and '<longSize' and a Content-Type of 'text/xml' or 'text/javascript'.
- →Two common URL path variants exist for the vulnerable endpoint: with and without the leading 'xwiki/' prefix. Both should be tested when scanning.
- →Use the Shodan/FOFA fingerprint 'data-xwiki-reference' in HTML body to identify XWiki instances for targeted scanning.
- →The vulnerability is exploitable by unauthenticated users (PR:N, UI:N per CVSS), so no credentials or session tokens are required to trigger the information disclosure. ↗
- ·The proof-of-concept path targets the default 'Sandbox/WebHome' page. Real wikis may not have this page, so the endpoint path should be adapted to known pages/spaces on the target instance.
- ·Affected version range is broad (1.8.1 – 16.6.x); patched versions are 14.10.22, 15.10.12, 16.4.3, and 16.7.0. Detections should correlate against the installed XWiki version to reduce false positives on patched instances. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
ghsa·2025-04-30
CVE-2025-46554 [MEDIUM] CWE-862 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
### Impact
Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.
To reproduce:
* remove view from guest on the whole wiki
* logout
* access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
You get a list of attachments, while the expected result should be an empty list.
### Patches
This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.
### Workarounds
We're not aware of any workaround except upgrading.
### References
* https://j
OSV
XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
osv·2025-04-30
CVE-2025-46554 [MEDIUM] XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
### Impact
Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.
To reproduce:
* remove view from guest on the whole wiki
* logout
* access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
You get a list of attachments, while the expected result should be an empty list.
### Patches
This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.
### Workarounds
We're not aware of any workaround except upgrading.
### References
* https://j
VulnCheck
xwiki xwiki Missing Authorization
vulncheck·2025·CVSS 5.3
CVE-2025-46554 [MEDIUM] xwiki xwiki Missing Authorization
xwiki xwiki Missing Authorization
XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. There is no filtering for the results depending on current user rights, meaning an unauthenticated user could exploit this even in a private wiki. This issue has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0.
Affected: xwiki xwiki
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-ex
No detection rules found.
Nuclei
XWiki REST API - Attachments Disclosure
nuclei·CVSS 5.3
CVE-2025-46554 [MEDIUM] XWiki REST API - Attachments Disclosure
XWiki REST API - Attachments Disclosure
A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
Template:
id: CVE-2025-46554
info:
name: XWiki REST API - Attachments Disclosure
author: ritikchaddha
severity: high
description: |
A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
impact: |
Unauthenticated users can access attachment lists and metadata through the REST API attachments endpoint, potentially exposing sensitive information.
remediation:
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342https://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e3856https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xphttps://jira.xwiki.org/browse/XWIKI-22424
2025-04-30
Published
Exploited in the wild