CVE-2025-27604
Published: 07 March 2025
Description
Security Summary
CVE-2025-27604 is a vulnerability in the XWiki Confluence Migrator Pro application, which helps administrators import Confluence packages into XWiki instances. The issue arises because the application's homepage is publicly accessible, enabling unauthenticated guests to download packages that may contain sensitive information. This flaw, classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2025-03-07.
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation allows the attacker to download Confluence packages from the public homepage, potentially exposing sensitive data contained within them and resulting in high confidentiality impact.
The vulnerability is fixed in version 1.11.7 of XWiki Confluence Migrator Pro. Mitigation details are available in the GitHub security advisory at https://github.com/xwikisas/application-confluence-migrator-pro/security/advisories/GHSA-3w9f-2pph-j5vc and the corresponding fixing commit at https://github.com/xwikisas/application-confluence-migrator-pro/commit/6ced42b1f341fd0ce6734fc58c7d694da5f365fb.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability publicly exposes Confluence packages (potentially containing sensitive data) via the unauthenticated homepage of the Confluence Migrator Pro app, directly enabling adversaries to collect data from Confluence information repositories.