Skip to main content

CVE-2025-54124: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in xwiki xwiki-platform

High
VulnerabilityCVE-2025-54124cvecve-2025-54124cwe-359
Published: Tue Aug 05 2025 (08/05/2025, 23:28:07 UTC)
Source: CVE Database V5
Vendor/Project: xwiki
Product: xwiki-platform

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.

AI-Powered Analysis

AILast updated: 08/13/2025, 01:07:24 UTC

Technical Analysis

CVE-2025-54124 is a high-severity vulnerability affecting multiple versions of the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from improper handling of password properties within custom XClasses created by users with editing rights. Specifically, any user with editing permissions can create an XClass containing a database list property that references a password property. When an object of this XClass is added, the content of the password property is exposed and displayed. This means that users with standard account access can view password hashes or even plaintext passwords stored on pages they have permission to view. The affected versions span from 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. The issue has been addressed in versions 16.4.7, 16.10.5, and 17.2.0-rc-1. The vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and has a CVSS 4.0 base score of 7.1, indicating a high severity. The attack vector is network-based with low attack complexity and no user interaction required, but it requires the attacker to have at least editing privileges (partial privileges). The vulnerability impacts confidentiality severely by exposing sensitive password data, but does not affect integrity or availability. No known exploits are reported in the wild as of the publication date. This vulnerability could lead to credential compromise, lateral movement, and further escalation within affected organizations if exploited.

Potential Impact

For European organizations using affected versions of XWiki Platform, this vulnerability poses a significant risk to the confidentiality of user credentials and potentially other sensitive information stored as password properties. Since the vulnerability allows any user with editing rights to access password hashes or plaintext passwords, attackers or malicious insiders could leverage this to compromise user accounts, escalate privileges, or move laterally within the network. This is particularly critical for organizations that use XWiki for internal knowledge management, documentation, or collaboration, where sensitive or proprietary information may be stored. The exposure of password hashes could also facilitate offline brute-force or cracking attempts, increasing the risk of account takeover. Given the collaborative nature of wikis, the threat could extend to multiple departments or teams, amplifying the impact. Additionally, regulatory compliance frameworks in Europe such as GDPR impose strict requirements on protecting personal data, including credentials. A breach resulting from this vulnerability could lead to regulatory penalties, reputational damage, and loss of trust. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and the availability of the vulnerability details increase the likelihood of future attacks.

Mitigation Recommendations

European organizations should prioritize upgrading affected XWiki Platform instances to the fixed versions 16.4.7, 16.10.5, or 17.2.0-rc-1 as soon as possible. Until patches are applied, organizations should restrict editing rights to only trusted users and review current user permissions to minimize the number of accounts with editing capabilities. Implement strict access controls and audit logging to monitor for suspicious activities related to XClass creation or modification. Conduct a thorough inventory of all XWiki instances and identify those running vulnerable versions. Additionally, review stored password properties and consider resetting passwords for users whose credentials may have been exposed. Employ network segmentation and limit access to the wiki platform to reduce exposure. Where possible, enable multi-factor authentication (MFA) on user accounts to mitigate the risk of compromised credentials being used for unauthorized access. Regularly monitor security advisories from XWiki and related communities for updates or emerging exploit information. Finally, educate users about the risks of credential exposure and encourage strong password hygiene.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-16T23:53:40.509Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6892949dad5a09ad00ec4d38

Added to database: 8/5/2025, 11:32:45 PM

Last enriched: 8/13/2025, 1:07:24 AM

Last updated: 8/13/2025, 1:07:24 AM

Views: 8

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats