Skip to main content

CVE-2025-54125: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in xwiki xwiki-platform

High
VulnerabilityCVE-2025-54125cvecve-2025-54125cwe-359
Published: Tue Aug 05 2025 (08/05/2025, 23:30:38 UTC)
Source: CVE Database V5
Vendor/Project: xwiki
Product: xwiki-platform

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export.

AI-Powered Analysis

AILast updated: 08/13/2025, 01:07:43 UTC

Technical Analysis

CVE-2025-54125 is a high-severity vulnerability affecting multiple versions of the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from the XML export functionality of a wiki page, which can be triggered by any user with view rights by appending '?xpage=xml' to the page URL. In affected versions (1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0), the XML export includes sensitive properties such as passwords and email addresses stored on the document, even if these properties are not explicitly named 'password' or 'email'. This results in unauthorized exposure of private personal information to any user with viewing permissions, without requiring authentication or user interaction beyond viewing the page. The vulnerability is classified under CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor). It has a CVSS 4.0 base score of 8.7, reflecting its network exploitable nature, no required privileges, no user interaction, and a high impact on confidentiality. The issue is fixed in versions 16.4.7, 16.10.5, and 17.2.0-rc-1. As a workaround, administrators can delete the 'templates/xml.vm' file from the deployed WAR if XML export functionality is not needed, as no core XWiki features depend on it. There are currently no known exploits in the wild. This vulnerability poses a significant risk of data leakage, potentially exposing user credentials and contact information to unauthorized actors who have only view access to the wiki pages.

Potential Impact

For European organizations using vulnerable versions of XWiki Platform, this vulnerability could lead to unauthorized disclosure of sensitive personal information, including passwords and email addresses. This exposure can facilitate further attacks such as credential stuffing, phishing, or social engineering campaigns targeting employees or customers. The breach of personal data may also violate the EU General Data Protection Regulation (GDPR), leading to regulatory penalties, reputational damage, and loss of customer trust. Since the vulnerability requires only view rights, it can be exploited by any authenticated or unauthenticated user with access to the wiki pages, increasing the attack surface. Organizations relying on XWiki for internal documentation, collaboration, or customer-facing knowledge bases are at risk of confidential information leakage, potentially impacting business operations and security posture.

Mitigation Recommendations

1. Upgrade XWiki Platform to the patched versions 16.4.7, 16.10.5, or 17.2.0-rc-1 as soon as possible to eliminate the vulnerability. 2. If immediate upgrade is not feasible, remove or rename the 'templates/xml.vm' file in the deployed WAR directory to disable the XML export feature, preventing exposure of sensitive data. 3. Review and audit wiki pages for any sensitive information stored in custom properties that may be inadvertently exposed. 4. Restrict view permissions on sensitive pages to trusted users only, minimizing the risk of unauthorized access. 5. Monitor access logs for unusual or suspicious requests containing '?xpage=xml' to detect potential exploitation attempts. 6. Educate users and administrators about the risks of exposing sensitive data in wiki documents and encourage secure data handling practices. 7. Implement network-level controls or web application firewalls (WAF) rules to block or alert on requests attempting to access XML exports if disabling the feature is not possible.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-16T23:53:40.509Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6892949dad5a09ad00ec4d3d

Added to database: 8/5/2025, 11:32:45 PM

Last enriched: 8/13/2025, 1:07:43 AM

Last updated: 8/13/2025, 1:07:43 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats