Listen to this Post
How the CVE Works:
The vulnerability in XWiki allows unauthorized access to page s through the REST API, even for pages that should be restricted. By leveraging the class property values REST endpoint, an attacker can systematically query known page references to extract their s. This occurs because the API fails to enforce proper access controls before retrieving the from an accessible XClass with a page property. While default configurations (where page names match s) limit impact, obfuscated page names in sensitive wikis escalate the risk. Patches now enforce access checks before retrieval.
DailyCVE Form:
Platform: XWiki
Version: 10.9-16.4.6
Vulnerability: Information Disclosure
Severity: Medium
Date: 2025-06-13
Prediction: Patch expected 2025-06-20
What Undercode Say:
curl -X GET "http://xwiki-instance/rest/wikis/xwiki/classes/PageClass/properties/"
import requests
response = requests.get("http://xwiki-instance/rest/wikis/xwiki/classes/PageClass/properties/")
print(response.text)
How Exploit:
1. Identify target XWiki instance.
2. Enumerate page references.
3. Query REST API for s.
Protection from this CVE:
1. Upgrade to patched versions.
2. Restrict API access.
3. Audit XClass permissions.
Impact:
Confidentiality breach for sensitive s. Low risk in default setups. High if names are obfuscated.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
