CVE-2025-65090 is a vulnerability identified in the xwiki-contrib macro-fullcalendar component, which is used to display wiki objects on a calendar interface. The flaw exists in versions prior to 2.4.6 and allows unauthorized actors, including unauthenticated guest users, to access sensitive information stored in the database by exploiting access to the Calendar.JSONService page. This page is accessible to users with viewing rights, which may include guests depending on configuration. The vulnerability results in an information disclosure (CWE-200) where sensitive data, excluding passwords, can be retrieved. The attack vector is network-based with no privileges or user interaction required, making it relatively easy to exploit remotely. The vulnerability does not affect data integrity or availability but compromises confidentiality by leaking potentially sensitive organizational data. The issue was publicly disclosed with a CVSS v3.1 score of 5.3, indicating a medium severity level. The vendor addressed the vulnerability by releasing version 2.4.6, which restricts unauthorized access to the Calendar.JSONService page and prevents data leakage. No known exploits have been reported in the wild, but the risk remains for organizations running outdated versions.

For European organizations, the exposure of sensitive information through this vulnerability can lead to unauthorized disclosure of internal data, potentially including business-critical or personal information stored within the wiki. Although passwords are not exposed, other confidential data leakage can facilitate further attacks such as social engineering, reconnaissance for targeted attacks, or compliance violations under GDPR if personal data is involved. Organizations in sectors such as government, finance, healthcare, and education that rely on XWiki for collaboration and documentation are particularly at risk. The ease of exploitation without authentication increases the threat level, especially for publicly accessible wiki instances. Data leakage incidents can damage organizational reputation, lead to regulatory penalties, and increase the attack surface for subsequent intrusions. The lack of known exploits currently reduces immediate risk but does not eliminate the potential for future exploitation.

Organizations should immediately upgrade the xwiki-contrib macro-fullcalendar component to version 2.4.6 or later to apply the official patch that restricts unauthorized access to the Calendar.JSONService page. Until the upgrade is possible, administrators should review and tighten access controls on the Calendar.JSONService endpoint, ensuring that only authorized users can view calendar data. Implement network-level restrictions such as IP whitelisting or VPN access for sensitive wiki services. Conduct audits of wiki permissions to minimize guest or anonymous user rights. Monitor access logs for unusual or unauthorized requests to the Calendar.JSONService page. Additionally, organizations should review the data stored in the wiki for sensitive information exposure and consider encrypting sensitive content where feasible. Regular vulnerability scanning and patch management processes should be enforced to prevent similar issues.