high
8.7
CWE
269
Advisory Published
Advisory Published
Updated

CVE-2025-29924: XWiki uses the wrong wiki reference in AuthorizationManager

First published: Wed Mar 19 2025(Updated: )

### Impact It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as "Prevent unregistered users to view pages". or "Prevent unregistered users to edit pages". It's possible to detect the vulnerability by enabling "Prevent unregistered users to view pages" and then trying to access a page through the REST API without using any credentials. ### Patches The vulnerability has been patched in XWiki 15.10.14, 16.4.6 and 16.10.0RC1. ### Workarounds There's no workaround. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22640 * Commit of the fix: https://github.com/xwiki/xwiki-platform/commit/5f98bde87288326cf5787604e2bb87836875ed0e ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
XWiki Platform<15.10.14<16.4.6<16.10.0-rc-1
maven/org.xwiki.platform:xwiki-platform-security-authorization-api>=16.5.0-rc-1<16.10.0-rc-1
16.10.0-rc-1
maven/org.xwiki.platform:xwiki-platform-security-authorization-api>=16.0.0-rc-1<16.4.6
16.4.6
maven/org.xwiki.platform:xwiki-platform-security-authorization-api>=6.1-rc-1<15.10.14
15.10.14

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2025-29924?

    CVE-2025-29924 is classified as a vulnerability that allows unauthorized access to private information via the REST API.

  • How do I fix CVE-2025-29924?

    To fix CVE-2025-29924, upgrade XWiki Platform to versions 15.10.14, 16.4.6, or 16.10.0-rc-1 or later.

  • What is the impact of CVE-2025-29924?

    The impact of CVE-2025-29924 is that unregistered users can potentially access restricted information from a sub wiki.

  • Which versions of XWiki Platform are affected by CVE-2025-29924?

    Versions of XWiki Platform prior to 15.10.14, 16.4.6, and 16.10.0-rc-1 are affected by CVE-2025-29924.

  • How can I determine if my XWiki instance is vulnerable to CVE-2025-29924?

    You can determine if your XWiki instance is vulnerable by checking its version against the affected versions listed for CVE-2025-29924.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203