Listen to this Post
How CVE-2025-32783 Works
This vulnerability affects XWiki Platform versions 5.0 to 16.7.1 when Message Stream is enabled and a wiki is configured as private (“Prevent unregistered users to view pages”). Due to improper access control, messages sent to “everyone” in a subwiki are broadcasted to the entire farm, including the main wiki. This allows unauthorized visitors to view private subwiki messages via the Dashboard. The issue stems from Message Stream’s deprecated architecture, which fails to enforce subwiki isolation.
DailyCVE Form
Platform: XWiki
Version: 5.0-16.7.1
Vulnerability: Information Disclosure
Severity: Medium
Date: 04/16/2025
What Undercode Say:
Exploitation Analysis
1. Exploit Scenario:
- Attacker visits main wiki dashboard.
- Private subwiki messages marked “everyone” are visible.
2. Verification Command:
curl -X GET "http://<main-wiki>/dashboard" | grep "message-stream"
Protection Measures
1. Workaround:
Disable Message Stream via:
Admin UI path: Administration > Social > Message Stream > Disable
2. Configuration Check:
SELECT FROM xwikicfg WHERE property='message.stream.enabled' AND value='1';
3. Upgrade Recommendation:
Migrate to XWiki ≥16.8.0RC1 (deprecates Message Stream).
4. Log Monitoring:
tail -f /var/log/xwiki/application.log | grep "MessageStream"
Sample Detection Script (Python):
import requests
def check_leak(url):
r = requests.get(f"{url}/dashboard")
return "message-stream" in r.text
Mitigation Steps:
1. Disable Module:
xwiki.cfg message.stream.enabled=false
2. Firewall Rule:
iptables -A INPUT -p tcp --dport 8080 -m string --string "message-stream" --algo bm -j DROP
3. Audit Trail:
grep -r "sendToEveryone" /path/to/xwiki/storage/
Impact Summary:
- Confidentiality: Unauthorized main wiki users access subwiki messages.
- Integrity: No direct data modification.
- Availability: No service disruption.
Reference Links:
End of Report.
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
