Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-r5cr-xm48-97xp: XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

Impact

Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It’s not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.

To reproduce:

  • remove view from guest on the whole wiki
  • logout
  • access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/attachments

You get a list of attachments, while the expected result should be an empty list.

Patches

This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3.

Workarounds

We’re not aware of any workaround except upgrading.

For more information

If you have any questions or comments about this advisory:

Attribution

Issue reported by Lukas Monert.

ghsa
Open in Source
#vulnerability#web#git#java#auth#jira#maven

Skip to content

Navigation Menu

    • GitHub Copilot

      Write better code with AI

    • GitHub Advanced Security

      Find and fix vulnerabilities

    • Actions

      Automate any workflow

    • Codespaces

      Instant dev environments

    • Issues

      Plan and track work

    • Code Review

      Manage code changes

    • Discussions

      Collaborate outside of code

    • Code Search

      Find more, search less

  • Explore

    • Learning Pathways
    • Events & Webinars
    • Ebooks & Whitepapers
    • Customer Stories
    • Partners
    • Executive Insights

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles

    • Enterprise platform

      AI-powered developer platform

  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2025-46554

XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

Moderate severity GitHub Reviewed Published Apr 30, 2025 in xwiki/xwiki-platform • Updated Apr 30, 2025

Package

maven org.xwiki.platform:xwiki-platform-rest-server (Maven)

Affected versions

>= 1.8.1, < 14.10.22

>= 15.0-rc-1, < 15.10.12

>= 16.0.0-rc-1, < 16.4.3

>= 16.5.0-rc-1, < 16.7.0

Patched versions

14.10.22

15.10.12

16.4.3

16.7.0

Description

Published to the GitHub Advisory Database

Apr 30, 2025

Last updated

Apr 30, 2025

EPSS score

ghsa: Latest News

GHSA-9fwj-9mjf-rhj3: laravel-auth0 SDK Vulnerable to Brute Force Authentication Tags of CookieStore Sessions
ghsa