CVE-2025-46554 Scanner

XWiki is an enterprise wiki application written in Java, used by software development teams, enterprises, and other collaborative environments for documentation and knowledge sharing. It provides a robust platform for creating, sharing, and managing documents and knowledge bases. Organizations use XWiki to centralize their documentation efforts, streamline communication, and foster collaboration within teams across different departments. The software allows for extensive customization and integration, which makes it highly adaptable to different organizational needs. Common users include project managers, developers, and documentation specialists who require efficient document tracking and versioning. The platform's open-source nature contributes to its widespread adoption and continuous improvement by a community of contributors.

An Information Disclosure vulnerability in XWiki's REST API exposes attachment metadata to unauthorized users. This vulnerability occurs when unauthenticated users can access the attachments list and metadata via the API, leading to potential exposure of sensitive information. The flaw arises due to insufficient access controls on the attachments endpoint, allowing unauthorized viewing of attachment details. This kind of vulnerability can lead to a breach of confidential information, potentially affecting organizational security and privacy. Organizations using XWiki must recognize the importance of securing their REST API endpoints to prevent unauthorized access to sensitive data. Ensuring proper authentication checks can mitigate the risks associated with this vulnerability.

The vulnerability is found within the XWiki REST API, specifically affecting the endpoint that handles attachments. Unauthorized users can exploit this by sending a GET request to the vulnerable endpoint, thereby accessing attachment metadata without proper authentication. The endpoint allows access to `

If exploited, this vulnerability could lead to significant breaches of data confidentiality, as attackers could gain access to potentially sensitive attachments metadata from the XWiki database. Organizations may suffer from unauthorized access to confidential documents and files, potentially leading to data leaks. This could further result in loss of intellectual property, damage to organizational reputation, and financial loss. Users might face data privacy violations, and the organization may incur fines and compliance issues, depending on the nature of the exposed information. It emphasizes the need for regular security audits and updates to prevent such vulnerabilities from compromising sensitive organizational data.

REFERENCES

• https://jira.xwiki.org/browse/XWIKI-22424
• https://nvd.nist.gov/vuln/detail/CVE-2025-46554