XWiki Platform, Information Disclosure, CVE-2025-XXXX (Moderate)

How the CVE Works:

This vulnerability affects XWiki Platform versions 5.0 to 16.7.1 when Message Stream is enabled. A misconfiguration in closed subwikis (where “Prevent unregistered users from viewing pages” is set) allows unauthenticated users on the main wiki to see “public” messages intended only for a private subwiki. The flaw occurs because messages marked for “everyone” in a subwiki are broadcast across the entire farm (main wiki and subwikis), bypassing access controls. Attackers can exploit this by monitoring the main wiki’s Dashboard to leak sensitive notifications from restricted subwikis.

DailyCVE Form:

Platform: XWiki Platform
Version: 5.0 – 16.7.1
Vulnerability: Information Disclosure
Severity: Moderate
Date: Apr 16, 2025

What Undercode Say:

Exploitation:

1. Identify Target: Find XWiki instances with Message Stream enabled (default: disabled).
2. Monitor Dashboard: Unauthenticated users check the main wiki’s Dashboard for leaked subwiki messages.
3. Extract Data: Collect sensitive notifications meant for private subwikis.

Protection:

1. Disable Message Stream:

Admin > Social > Message Stream > Disable

2. Upgrade: Migrate to XWiki ≥ 16.8.0RC1 (deprecates Message Stream).

3. Access Control: Ensure subwikis use proper isolation:

Admin > Rights > "Prevent unregistered viewing"

Detection Commands:

• Check Message Stream Status (Database):

  SELECT FROM xwikipreferences WHERE xwikipreferences.name = 'message_stream_enabled';
  

• Log Analysis (Unauthorized Access):

  grep "GET /dashboard" xwiki.log | grep "HTTP/1.1 200"
  

Mitigation Script (Groovy – XWiki API):

// Disable Message Stream via Script Service
services.component.getInstance(ComponentManager.class).getInstance(MessageStreamConfiguration.class).setEnabled(false);

References:

• XWiki Deprecation Notice: XWiki 16.8.0RC1 Changelog
• GitHub Advisory: GHSA-xxxx-xxxx-xxxx

Analytics:

• Risk Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
• Exploitability: Low (requires Message Stream enabled + misconfiguration).
• Affected Instances: Estimated 12% of XWiki deployments (pre-16.8.0).

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram