CVE-2025-54124: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in xwiki xwiki-platform
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.
AI Analysis
Technical Summary
CVE-2025-54124 is a high-severity vulnerability affecting multiple versions of the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from improper handling of password properties within custom XClasses created by users with editing rights. Specifically, any user with editing permissions can create an XClass containing a database list property that references a password property. When an object of this XClass is added, the content of the password property is exposed and displayed. This means that users with standard account access can view password hashes or even plaintext passwords stored on pages they have permission to view. The affected versions span from 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. The issue has been addressed in versions 16.4.7, 16.10.5, and 17.2.0-rc-1. The vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and has a CVSS 4.0 base score of 7.1, indicating a high severity. The attack vector is network-based with low attack complexity and no user interaction required, but it requires the attacker to have at least editing privileges (partial privileges). The vulnerability impacts confidentiality severely by exposing sensitive password data, but does not affect integrity or availability. No known exploits are reported in the wild as of the publication date. This vulnerability could lead to credential compromise, lateral movement, and further escalation within affected organizations if exploited.
Potential Impact
For European organizations using affected versions of XWiki Platform, this vulnerability poses a significant risk to the confidentiality of user credentials and potentially other sensitive information stored as password properties. Since the vulnerability allows any user with editing rights to access password hashes or plaintext passwords, attackers or malicious insiders could leverage this to compromise user accounts, escalate privileges, or move laterally within the network. This is particularly critical for organizations that use XWiki for internal knowledge management, documentation, or collaboration, where sensitive or proprietary information may be stored. The exposure of password hashes could also facilitate offline brute-force or cracking attempts, increasing the risk of account takeover. Given the collaborative nature of wikis, the threat could extend to multiple departments or teams, amplifying the impact. Additionally, regulatory compliance frameworks in Europe such as GDPR impose strict requirements on protecting personal data, including credentials. A breach resulting from this vulnerability could lead to regulatory penalties, reputational damage, and loss of trust. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and the availability of the vulnerability details increase the likelihood of future attacks.
Mitigation Recommendations
European organizations should prioritize upgrading affected XWiki Platform instances to the fixed versions 16.4.7, 16.10.5, or 17.2.0-rc-1 as soon as possible. Until patches are applied, organizations should restrict editing rights to only trusted users and review current user permissions to minimize the number of accounts with editing capabilities. Implement strict access controls and audit logging to monitor for suspicious activities related to XClass creation or modification. Conduct a thorough inventory of all XWiki instances and identify those running vulnerable versions. Additionally, review stored password properties and consider resetting passwords for users whose credentials may have been exposed. Employ network segmentation and limit access to the wiki platform to reduce exposure. Where possible, enable multi-factor authentication (MFA) on user accounts to mitigate the risk of compromised credentials being used for unauthorized access. Regularly monitor security advisories from XWiki and related communities for updates or emerging exploit information. Finally, educate users about the risks of credential exposure and encourage strong password hygiene.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Belgium, Italy, Spain
CVE-2025-54124: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in xwiki xwiki-platform
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.
AI-Powered Analysis
Technical Analysis
CVE-2025-54124 is a high-severity vulnerability affecting multiple versions of the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from improper handling of password properties within custom XClasses created by users with editing rights. Specifically, any user with editing permissions can create an XClass containing a database list property that references a password property. When an object of this XClass is added, the content of the password property is exposed and displayed. This means that users with standard account access can view password hashes or even plaintext passwords stored on pages they have permission to view. The affected versions span from 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. The issue has been addressed in versions 16.4.7, 16.10.5, and 17.2.0-rc-1. The vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor) and has a CVSS 4.0 base score of 7.1, indicating a high severity. The attack vector is network-based with low attack complexity and no user interaction required, but it requires the attacker to have at least editing privileges (partial privileges). The vulnerability impacts confidentiality severely by exposing sensitive password data, but does not affect integrity or availability. No known exploits are reported in the wild as of the publication date. This vulnerability could lead to credential compromise, lateral movement, and further escalation within affected organizations if exploited.
Potential Impact
For European organizations using affected versions of XWiki Platform, this vulnerability poses a significant risk to the confidentiality of user credentials and potentially other sensitive information stored as password properties. Since the vulnerability allows any user with editing rights to access password hashes or plaintext passwords, attackers or malicious insiders could leverage this to compromise user accounts, escalate privileges, or move laterally within the network. This is particularly critical for organizations that use XWiki for internal knowledge management, documentation, or collaboration, where sensitive or proprietary information may be stored. The exposure of password hashes could also facilitate offline brute-force or cracking attempts, increasing the risk of account takeover. Given the collaborative nature of wikis, the threat could extend to multiple departments or teams, amplifying the impact. Additionally, regulatory compliance frameworks in Europe such as GDPR impose strict requirements on protecting personal data, including credentials. A breach resulting from this vulnerability could lead to regulatory penalties, reputational damage, and loss of trust. The lack of known exploits in the wild currently reduces immediate risk, but the ease of exploitation and the availability of the vulnerability details increase the likelihood of future attacks.
Mitigation Recommendations
European organizations should prioritize upgrading affected XWiki Platform instances to the fixed versions 16.4.7, 16.10.5, or 17.2.0-rc-1 as soon as possible. Until patches are applied, organizations should restrict editing rights to only trusted users and review current user permissions to minimize the number of accounts with editing capabilities. Implement strict access controls and audit logging to monitor for suspicious activities related to XClass creation or modification. Conduct a thorough inventory of all XWiki instances and identify those running vulnerable versions. Additionally, review stored password properties and consider resetting passwords for users whose credentials may have been exposed. Employ network segmentation and limit access to the wiki platform to reduce exposure. Where possible, enable multi-factor authentication (MFA) on user accounts to mitigate the risk of compromised credentials being used for unauthorized access. Regularly monitor security advisories from XWiki and related communities for updates or emerging exploit information. Finally, educate users about the risks of credential exposure and encourage strong password hygiene.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-16T23:53:40.509Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6892949dad5a09ad00ec4d38
Added to database: 8/5/2025, 11:32:45 PM
Last enriched: 8/13/2025, 1:07:24 AM
Last updated: 8/18/2025, 1:22:21 AM
Views: 9
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.