CVE-2025-55749

Summary

XWiki is an open-source wiki software platform. From 16.7.0 to 16.10.11, 17.4.4, or 17.7.0, in an instance which is using the XWiki Jetty package (XJetty), a context is exposed to statically access any file located in the webapp/ folder. It allows accessing files which might contains credentials. Fixed in 16.10.11, 17.4.4, and 17.7.0.

Affected Software

VendorProductVersion RangeStatus
xwikixwiki-platform>= 16.7.0, < 16.10.11affected
xwikixwiki-platform>= 17.0.0-rc1, < 17.4.4affected
xwikixwiki-platform>= 17.5.0, < 17.7.0affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References