CVE-2025-29926
19.03.2025, 18:15
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.Enginsight
| Vendor | Product | Version |
|---|---|---|
| xwiki | xwiki | 5.4.1 ≤ 𝑥 < 15.10.15 |
| xwiki | xwiki | 16.0.0 ≤ 𝑥 < 16.4.6 |
| xwiki | xwiki | 16.5.0 ≤ 𝑥 < 16.10.0 |
| xwiki | xwiki | 5.4 |
| xwiki | xwiki | 5.4:rc1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-285 - Improper AuthorizationThe software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.