CVE-2025-49584
📋 TL;DR
This vulnerability in XWiki allows attackers to access page titles through the REST API without proper authorization. It affects XWiki installations where page names are obfuscated but titles contain sensitive information. Only fully private wikis are unaffected as they have additional access controls.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers can enumerate sensitive page titles, potentially revealing confidential information when page names are intentionally obfuscated but titles contain sensitive data.
Likely Case
Attackers can discover page titles for known page references, which by default match page names, resulting in low confidentiality impact for standard configurations.
If Mitigated
With proper access controls on XClass definitions or in fully private wikis, the vulnerability is prevented as the REST endpoint checks access rights.
🎯 Exploit Status
Exploitation requires knowledge of page references and access to REST API. One title can be retrieved per request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 16.4.7, 16.10.3, 17.0.0
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mvp5-qx9c-c3fv
Restart Required: Yes
Instructions:
1. Identify your XWiki version. 2. Upgrade to 16.4.7, 16.10.3, or 17.0.0 depending on your current branch. 3. Restart the XWiki service. 4. Verify the fix by testing REST API access controls.
🔧 Temporary Workarounds
Restrict REST API Access
allLimit access to the REST API endpoint to authorized users only using network controls or application firewalls.
Implement Fully Private Wiki
allConfigure XWiki as a fully private wiki where all access rights are strictly controlled.
🧯 If You Can't Patch
- Implement network segmentation to restrict access to XWiki REST API endpoints
- Review and strengthen access controls on XClass definitions to limit exposure
🔍 How to Verify
Check if Vulnerable:
Check XWiki version against affected ranges. Test if unauthorized users can access page titles via REST API with known page references.Check Version:
Check XWiki administration interface or configuration files for version information.Verify Fix Applied:
After patching, verify that unauthorized access to page titles via REST API is blocked and proper access controls are enforced.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthorized REST API requests for page titles
- Pattern of requests to /rest/wikis/xwiki/spaces/*/pages/*/objects/XWiki.XWikiRights/
Network Indicators:
- Unusual volume of REST API requests from single sources
- Requests attempting to enumerate page references
SIEM Query:
source="xwiki" AND (uri_path="/rest/*" AND status=200) AND user="anonymous"