मुफ्त स्कैन करें
CRITICALCVE-2025-55747CVSS 9.5

XWiki कॉन्फ़िगरेशन फ़ाइलें वेबजर्स API के माध्यम से एक्सेस की जा सकती हैं

प्लेटफ़ॉर्म

java

घटक

org.xwiki.platform:xwiki-platform-webjars-api

में ठीक किया गया

6.1.1

16.10.7

16.10.7

AI Confidence: highNVDEPSS 2.0%समीक्षित: मई 2026
NVD पर देखें
सहेजें
आपकी भाषा में अनुवाद हो रहा है…

CVE-2025-55747 describes a path traversal vulnerability discovered in the XWiki Platform Webjars API. This flaw allows attackers to potentially access and read sensitive configuration files by manipulating URLs, bypassing intended access controls. The vulnerability impacts versions of XWiki Platform prior to 16.10.7 and 17.4.0-rc-1, and a patch is available to address the issue.

Java / Maven

इस CVE को अपने प्रोजेक्ट में पहचानें

अपनी pom.xml फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।

pom.xml अपलोड करेंसमर्थित प्रारूप: pom.xml · build.gradle

प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…

The primary impact of CVE-2025-55747 is the unauthorized disclosure of sensitive information. By crafting malicious URLs, an attacker can traverse the file system and access files outside of the intended web root. Specifically, the vulnerability allows access to the xwiki.cfg file, which contains configuration details for the XWiki platform. Exposure of this file could reveal database credentials, API keys, and other sensitive settings, enabling further exploitation and potentially leading to complete system compromise. This vulnerability is similar in concept to other path traversal attacks, where improper input validation allows attackers to navigate outside of intended directories.

शोषण संदर्भअनुवाद हो रहा है…

CVE-2025-55747 was publicly disclosed on September 3, 2025. As of this date, there are no reports of active exploitation in the wild. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's ease of exploitation suggests a potential for future exploitation if left unpatched.

कौन जोखिम में हैअनुवाद हो रहा है…

Organizations deploying XWiki Platform, particularly those with publicly accessible instances, are at risk. Legacy XWiki installations and those with misconfigured access controls are especially vulnerable. Shared hosting environments where multiple users share the same XWiki instance also face increased risk.

पहचान के चरणअनुवाद हो रहा है…

• java / server:

ps aux | grep xwiki

• java / server:

journalctl -u xwiki | grep -i "webjars"

• generic web:

curl -I http://<target>/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg

हमले की समयरेखा

  1. Disclosure

    disclosure

खतरा खुफिया

एक्सप्लॉइट स्थिति

प्रूफ ऑफ कॉन्सेप्टअज्ञात
CISA KEVNO

EPSS

1.99% (83% शतमक)

CISA SSVC

शोषणnone
स्वचालनीयno
तकनीकी प्रभावpartial

प्रभावित सॉफ्टवेयर

घटकorg.xwiki.platform:xwiki-platform-webjars-api
विक्रेताosv
प्रभावित श्रेणीमें ठीक किया गया
>= 6.1-milestone-2, < 16.10.7 – >= 6.1-milestone-2, < 16.10.76.1.1
6.1-milestone-216.10.7
7.1.416.10.7

कमजोरी वर्गीकरण (CWE)

CWE-23

समयरेखा

  1. आरक्षित
  2. प्रकाशित
  3. संशोधित
  4. EPSS अद्यतन

शमन और वर्कअराउंडअनुवाद हो रहा है…

The recommended mitigation for CVE-2025-55747 is to immediately upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. These versions include a fix that prevents the path traversal vulnerability. As there is no known workaround, upgrading is the only viable solution. If upgrading is not immediately feasible, consider implementing strict input validation on all URL parameters to prevent malicious path manipulation. While not a direct fix, this can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to access the vulnerable URL (http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg) and verifying that access is denied.

कैसे ठीक करें

XWiki Platform को संस्करण 16.10.7 या उच्चतर में अपडेट करें। यह संस्करण वेबजर्स API के माध्यम से कॉन्फ़िगरेशन फ़ाइलों तक अनधिकृत पहुंच की अनुमति देने वाले भेद्यता को ठीक करता है। अपडेट यह सुनिश्चित करता है कि कॉन्फ़िगरेशन फ़ाइलें सुरक्षित हैं और सार्वजनिक रूप से एक्सेसिबल नहीं हैं।

CVE सुरक्षा न्यूज़लेटर

भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।

अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…

What is CVE-2025-55747 — path traversal in XWiki Platform Webjars API?

CVE-2025-55747 is a critical path traversal vulnerability in the XWiki Platform Webjars API that allows attackers to read sensitive configuration files by manipulating URLs.

Am I affected by CVE-2025-55747 in XWiki Platform?

Yes, if you are running XWiki Platform versions prior to 16.10.7 or 17.4.0-rc-1, you are vulnerable to this path traversal vulnerability.

How do I fix CVE-2025-55747 in XWiki Platform?

Upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. There is no known workaround other than upgrading.

Is CVE-2025-55747 being actively exploited?

As of September 3, 2025, there are no reports of active exploitation in the wild, but the vulnerability's ease of exploitation suggests a potential for future exploitation.

Where can I find the official XWiki advisory for CVE-2025-55747?

You can find the official advisory on the XWiki Jira issue tracker: https://jira.xwiki.org/browse/XWIKI-19350

क्या आपका प्रोजेक्ट प्रभावित है?

अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।

मुफ्त स्कैन करेंCVE खोजें