प्लेटफ़ॉर्म
java
घटक
org.xwiki.platform:xwiki-platform-skin-skinx
में ठीक किया गया
4.2.1
16.10.7
CVE-2025-55748 is a critical vulnerability affecting XWiki Platform, specifically the xwiki-platform-skin-skinx component. Attackers can exploit this flaw to access sensitive configuration files by manipulating URLs, potentially leading to data exposure and system compromise. This vulnerability impacts versions prior to 16.10.7, and a patch is available in version 16.10.7 and 17.4.0-rc-1.
The primary impact of CVE-2025-55748 is the unauthorized disclosure of configuration files within the XWiki Platform. By crafting specific URLs, an attacker can bypass intended access controls and retrieve files like xwiki.cfg from the WEB-INF directory. This file may contain sensitive information such as database credentials, API keys, or other configuration details that could be leveraged to further compromise the system. The vulnerability appears to be reproducible on Tomcat instances, expanding the potential attack surface. Successful exploitation could lead to data breaches, privilege escalation, and ultimately, complete system takeover.
CVE-2025-55748 was publicly disclosed on September 3, 2025. The vulnerability's simplicity and the potential for widespread impact suggest a moderate probability of exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing, but the ease of exploitation makes it a likely target. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns.
Organizations running XWiki Platform, particularly those deploying it on Tomcat servers, are at risk. Shared hosting environments where multiple XWiki instances reside on the same server are especially vulnerable, as a compromise of one instance could potentially lead to the exposure of configuration data for others.
• java / server: Monitor Tomcat access logs for requests containing the pattern ../../WEB-INF/xwiki.cfg.
grep '../../WEB-INF/xwiki.cfg' /var/log/tomcat/access_log• generic web: Use curl to test for the vulnerability by accessing http://<target>/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false. A successful exploit will return the contents of the xwiki.cfg file.
curl http://<target>/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=falsedisclosure
एक्सप्लॉइट स्थिति
EPSS
0.57% (69% शतमक)
CISA SSVC
The recommended mitigation for CVE-2025-55748 is to immediately upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. Since there is no known workaround other than upgrading, prioritize this action. If upgrading is not immediately feasible, consider implementing strict URL filtering rules within your web application firewall (WAF) or reverse proxy to block requests containing the malicious pattern ../../WEB-INF/xwiki.cfg. Monitor access logs for suspicious URL patterns. After upgrading, confirm the vulnerability is resolved by attempting the original exploit URL and verifying that access is denied.
XWiki Platform को संस्करण 16.10.7 या उच्चतर में अपडेट करें। यह संस्करण jsx और sx एंडपॉइंट्स के माध्यम से अनधिकृत फ़ाइल एक्सेस की अनुमति देने वाले भेद्यता को ठीक करता है। अपडेट संवेदनशील जानकारी के जोखिम को रोकेगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-55748 is a critical vulnerability in XWiki Platform allowing attackers to read configuration files via crafted URLs, potentially exposing sensitive data.
You are affected if you are running XWiki Platform versions prior to 16.10.7 or 17.4.0-rc-1. Immediate action is required.
Upgrade XWiki Platform to version 16.10.7 or 17.4.0-rc-1. There is no known workaround other than upgrading.
While no public exploits are currently known, the vulnerability's simplicity suggests a potential for active exploitation. Monitoring is crucial.
Refer to the XWiki Jira issue tracker for the latest information and updates: https://jira.xwiki.org/
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी pom.xml फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।