{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49584", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-06T15:44:21.556Z", "datePublished": "2025-06-13T17:21:33.575Z", "dateUpdated": "2025-06-13T18:20:04.000Z"}, "containers": {"cna": {"title": "XWiki makes title of inaccessible pages available through the class property values REST API", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec"}, {"name": "https://jira.xwiki.org/browse/XWIKI-22736", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-22736"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 10.9, < 16.4.7", "status": "affected"}, {"version": ">= 16.5.0-rc-1, < 16.10.3", "status": "affected"}, {"version": ">= 17.0.0-rc-1, < 17.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-13T17:21:33.575Z"}, "descriptions": [{"lang": "en", "value": "XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page."}], "source": {"advisory": "GHSA-mvp5-qx9c-c3fv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-13T18:19:47.734822Z", "id": "CVE-2025-49584", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T18:20:04.000Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49584", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-13T18:19:47.734822Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-13T18:19:54.871Z"}}], "cna": {"title": "XWiki makes title of inaccessible pages available through the class property values REST API", "source": {"advisory": "GHSA-mvp5-qx9c-c3fv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"status": "affected", "version": ">= 10.9, < 16.4.7"}, {"status": "affected", "version": ">= 16.5.0-rc-1, < 16.10.3"}, {"status": "affected", "version": ">= 17.0.0-rc-1, < 17.0.0"}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv", "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec", "name": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec", "tags": ["x_refsource_MISC"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-22736", "name": "https://jira.xwiki.org/browse/XWIKI-22736", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-13T17:21:33.575Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49584", "state": "PUBLISHED", "dateUpdated": "2025-06-13T18:20:04.000Z", "dateReserved": "2025-06-06T15:44:21.556Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-13T17:21:33.575Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki is a generic wiki platform. In XWiki Platform versions 10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1, the title of every single page whose reference is known can be accessed through the REST API as long as an XClass with a page property is accessible, this is the default for an XWiki installation. This allows an attacker to get titles of pages whose reference is known, one title per request. This doesn't affect fully private wikis as the REST endpoint checks access rights on the XClass definition. The impact on confidentiality depends on the strategy for page names. By default, page names match the title, so the impact should be low but if page names are intentionally obfuscated because the titles are sensitive, the impact could be high. This has been fixed in XWiki 16.4.7, 16.10.3 and 17.0.0 by adding access control checks before getting the title of any page."}, {"lang": "es", "value": "XWiki es una plataforma wiki gen\u00e9rica. En las versiones 10.9 a 16.4.6, 16.5.0-rc-1 a 16.10.2 y 17.0.0-rc-1 de la plataforma XWiki, se puede acceder al t\u00edtulo de cada p\u00e1gina cuya referencia se conoce a trav\u00e9s de la API REST siempre que se pueda acceder a una XClass con una propiedad de p\u00e1gina; este es el valor predeterminado para una instalaci\u00f3n de XWiki. Esto permite a un atacante obtener los t\u00edtulos de las p\u00e1ginas cuya referencia se conoce, un t\u00edtulo por solicitud. Esto no afecta a las wikis completamente privadas, ya que el endpoint REST verifica los derechos de acceso en la definici\u00f3n de la XClass. El impacto en la confidencialidad depende de la estrategia para los nombres de p\u00e1gina. Por defecto, los nombres de p\u00e1gina coinciden con el t\u00edtulo, por lo que el impacto deber\u00eda ser bajo; sin embargo, si los nombres de p\u00e1gina se ofuscan intencionalmente porque los t\u00edtulos son sensibles, el impacto podr\u00eda ser alto. Esto se ha solucionado en XWiki 16.4.7, 16.10.3 y 17.0.0 agregando comprobaciones de control de acceso antes de obtener el t\u00edtulo de cualquier p\u00e1gina."}], "id": "CVE-2025-49584", "lastModified": "2025-06-16T12:32:18.840", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-13T18:15:22.437", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/commit/ee642f973a7c95d2d146fe03c81bcdee1871f4ec"}, {"source": "security-advisories@github.com", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv"}, {"source": "security-advisories@github.com", "url": "https://jira.xwiki.org/browse/XWIKI-22736"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}