平台
java
组件
org.xwiki.platform:xwiki-platform-security-authorization-api
修复版本
6.1.1
16.0.1
16.5.1
15.10.14
CVE-2025-29924 describes an authorization bypass vulnerability within the XWiki Platform. This flaw allows unauthorized access to private information through the REST API, specifically impacting subwikis that have enabled the 'Prevent unregistered users to view pages' right option. Affected versions are those prior to 15.10.14. A fix is available in version 15.10.14.
The vulnerability allows an attacker to bypass authorization checks within XWiki Platform's REST API. Specifically, if a subwiki is configured to prevent unregistered users from viewing pages, an attacker can circumvent this restriction and access protected content without authentication. This could expose sensitive data, internal documentation, or other confidential information. The impact is limited to subwikis with the specified right option enabled and accessed through the REST API. While the description mentions potential access through other APIs, the primary attack vector is the REST API.
CVE-2025-29924 was publicly disclosed on March 19, 2025. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of this writing. Public proof-of-concept exploits are not currently known, but the vulnerability's nature suggests it could be relatively easy to exploit once a suitable payload is developed.
Organizations using XWiki Platform with subwikis configured to 'Prevent unregistered users to view pages' are at risk. This includes deployments where sensitive information is stored within subwikis and accessed via the REST API. Shared hosting environments utilizing XWiki Platform are also potentially vulnerable if the subwiki configuration is not properly managed.
• java / server:
# Check XWiki Platform version
java -jar /opt/xwiki/xwiki.jar -c /opt/xwiki/conf/platform.xml -s version• java / server:
# Monitor XWiki Platform logs for unauthorized access attempts to subwiki pages.
# Example: grep -i 'unauthorized access' /var/log/xwiki/xwiki.logdisclosure
漏洞利用状态
EPSS
0.06% (18% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-29924 is to upgrade XWiki Platform to version 15.10.14 or later. If upgrading is not immediately feasible, consider temporarily disabling the 'Prevent unregistered users to view pages' right option within affected subwikis. While this reduces security, it prevents the immediate exploitation of the vulnerability. Review XWiki Platform's REST API access controls and ensure proper authentication and authorization mechanisms are in place. Monitor XWiki Platform logs for suspicious activity, particularly unauthorized access attempts to subwiki pages.
Actualice XWiki Platform a la versión 15.10.14, 16.4.6 o 16.10.0RC1 o superior. Esto corrige la vulnerabilidad que permite el acceso no autorizado a información privada en subwikis cuando se utiliza la opción 'Prevent unregistered users to view pages'.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-29924 is a HIGH severity vulnerability in XWiki Platform allowing attackers to bypass authorization controls via the REST API and potentially access private information within subwikis.
You are affected if you are using XWiki Platform versions prior to 15.10.14 and have subwikis configured with 'Prevent unregistered users to view pages'.
Upgrade XWiki Platform to version 15.10.14 or later. As a temporary workaround, disable the 'Prevent unregistered users to view pages' right option in affected subwikis.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be easily exploited.
Refer to the official XWiki Platform security advisory for detailed information and updates: [https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories](https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories)
上传你的 pom.xml 文件,立即知道是否受影响。