Home

CVE-2025-54125

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending xpage=xml to the URL includes password and email properties stored on a document that arent named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isnt needed. There isnt any feature in XWiki itself that depends on the XML export.

Risk Information

Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.635

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2025-49586,CVE-2024-56158,CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore 16.4.7Windows
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore 16.10.5Windows
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore 17.2.0Windows
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in XWiki-platform-legacy-oldcore 16.4.7Windows
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in XWiki-platform-legacy-oldcore 16.10.5Windows
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in XWiki-platform-legacy-oldcore 17.2.0Windows
Vulnerabilities CVE-2025-49586,CVE-2024-56158,CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore for Linux 16.4.7Linux
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore for Linux 16.10.5Linux
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in Xwiki-platform-oldcore for Linux 17.2.0Linux
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in XWiki-platform-legacy-oldcore for Linux 16.4.7Linux
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in XWiki-platform-legacy-oldcore for Linux 16.10.5Linux
Vulnerabilities CVE-2025-54125,CVE-2025-54124 are fixed in XWiki-platform-legacy-oldcore for Linux 17.2.0Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234