CVE-2025-65089
📋 TL;DR
This vulnerability allows users without view permissions to access Office attachment content via the view file macro in XWiki Remote Macros. It affects XWiki installations using the Remote Macros extension for Confluence migration. The issue enables unauthorized information disclosure of sensitive documents.
💻 Affected Systems
- XWiki Remote Macros (xwiki-pro-macros)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could access confidential Office documents (Word, Excel, PowerPoint) containing sensitive business information, intellectual property, or personal data stored as attachments in XWiki.
Likely Case
Users with limited permissions could view Office attachments they shouldn't have access to, potentially exposing internal documentation, meeting notes, or project files.
If Mitigated
With proper access controls and monitoring, impact is limited to potential exposure of non-critical documents, with audit trails to identify unauthorized access attempts.
🎯 Exploit Status
Exploitation requires a user account (even with minimal permissions) and knowledge of attachment URLs or page references. No authentication bypass needed beyond the permission issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.27.0
Vendor Advisory: https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-8c52-x9w7-vc95
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Update the Remote Macros extension to version 1.27.0 via XWiki Extension Manager or manual installation. 3. Restart XWiki application server. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable view file macro
allTemporarily disable the vulnerable view file macro functionality until patching can be completed.
Edit XWiki configuration to remove or disable the view file macro
Restrict macro usage
allLimit which users/groups can use macros through XWiki rights management.
Configure XWiki rights to restrict macro execution to trusted users only
🧯 If You Can't Patch
- Implement strict access controls on pages containing Office attachments
- Monitor and audit access to view file macro usage and attachment access patterns
🔍 How to Verify
Check if Vulnerable:
Check the Remote Macros extension version in XWiki Administration > Extension Manager. If version is below 1.27.0, the system is vulnerable.Check Version:
Check XWiki Administration panel or extension configuration files for version information.Verify Fix Applied:
After updating, verify the extension shows version 1.27.0 in Extension Manager and test that users without view rights cannot access Office attachments via macros.📡 Detection & Monitoring
Log Indicators:
- Failed permission checks for attachment access
- View file macro usage by unauthorized users
- Unusual access patterns to Office documents
Network Indicators:
- Requests to attachment URLs from unauthorized users
- Macro execution requests without proper authentication
SIEM Query:
Search for 'viewfile' macro usage combined with user permission violations in XWiki audit logs