CVE-2025-29926

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43	Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-22490	Exploit Issue Tracking Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki:5.4:-::::::
	cpe:2.3:a:xwiki:xwiki:5.4:rc1::::::

History

13 May 2025, 13:34

Type	Values Removed	Values Added
First Time		Xwiki Xwiki xwiki
References	~~() https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99 -~~	() https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99 - Patch
References	~~() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43 -~~	() https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43 - Vendor Advisory
References	~~() https://jira.xwiki.org/browse/XWIKI-22490 -~~	() https://jira.xwiki.org/browse/XWIKI-22490 - Exploit, Issue Tracking, Vendor Advisory
Summary		(es) XWiki Platform es una plataforma wiki genérica. Antes de las versiones 15.10.15, 16.4.6 y 16.10.0, cualquier usuario podía explotar la API REST de WikiManager para crear una nueva wiki, donde podía convertirse en administrador y, por lo tanto, realizar otros ataques a la granja. Tenga en cuenta que esta API REST no está incluida en XWiki Standard por defecto: debe instalarse manualmente mediante el administrador de extensiones. El problema se ha corregido en las versiones 15.10.15, 16.4.6 y 16.10.0 del módulo REST.
CWE		CWE-862
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:xwiki:xwiki:::::::: cpe:2.3:a:xwiki:xwiki:5.4:rc1:::::: cpe:2.3:a:xwiki:xwiki:5.4:-::::::

19 Mar 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-19 18:15

Updated : 2025-05-13 13:34

NVD link : CVE-2025-29926

Mitre link : CVE-2025-29926

CVE.ORG link : CVE-2025-29926

JSON object : View

Products Affected

xwiki

xwiki

CWE

CWE-285

Improper Authorization

CWE-862

Missing Authorization

9.8 /10