CVE-2025-29924
Published: 19 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-29924 is an authorization bypass vulnerability in the XWiki Platform, a generic wiki platform. It affects versions prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, specifically impacting subwikis configured with rights options such as "Prevent unregistered users to view pages" or "Prevent unregistered users to edit pages." The flaw allows unauthorized access to private information through the REST API or potentially other APIs, bypassing these restrictions.
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no privileges required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By directly accessing a protected page via the REST API without credentials—after enabling the relevant subwiki restriction—an attacker can retrieve confidential content, leading to high confidentiality impact. The issue stems from improper privilege management (CWE-269) and incorrect authorization (CWE-863).
Patches are available in XWiki 15.10.14, 16.4.6, and 16.10.0-rc-1, as detailed in the GitHub security advisory (GHSA-gq32-758c-3wm3), the fixing commit (5f98bde87288326cf5787604e2bb87836875ed0e), and XWiki JIRA ticket XWIKI-22640. Security practitioners should upgrade affected subwikis immediately and verify configurations to ensure the vulnerability is not detectable by unauthenticated REST API requests to protected pages.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authorization bypass in public-facing XWiki platform enables direct exploitation of the web application via REST API to access restricted content without authentication, mapping to T1190 Exploit Public-Facing Application.