CVE-2025-29925

MEDIUM EXPLOITED NUCLEI

XWiki REST API - Private Pages Disclosure

Title source: nuclei

Description

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/[wikiName]/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki, though only for the main wiki. The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights.

Nuclei Templates (1)

XWiki REST API - Private Pages Disclosure

HIGHVERIFIEDby ritikchaddha

Shodan: html:"data-xwiki-reference"

FOFA: body="data-xwiki-reference"

References (5)

[Patch] https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df

[Patch] https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v

[Exploit, Issue Tracking, Vendor Advisory] https://jira.xwiki.org/browse/XWIKI-22630

[Issue Tracking, Vendor Advisory] https://jira.xwiki.org/browse/XWIKI-22639

Scores

CVSS v3 5.3

EPSS 0.0039

EPSS Percentile 60.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2025-09-04

CWE

CWE-402

Status published

Products (2)

org.xwiki.platform/xwiki-platform-rest-server 1.9M1 - 15.10.14Maven

xwiki/xwiki 1.9 - 15.10.14

Published Mar 19, 2025

Tracked Since Feb 18, 2026