CVE-2025-46557

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-46557
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46557.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-46557
Aliases
Published
2025-04-30T18:27:39.895Z
Modified
2026-04-10T05:28:27.548805Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Any user with view access to the XWiki space can change the authenticator
Details

XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administration and (unless an authenticator is set in xwiki.cfg) switch to another installed authenticator. Note that, by default, there is only one authenticator available (Standard XWiki Authenticator). So, if no authenticator extension was installed, it's not really possible to do anything for an attacker. Also, in most cases, if an SSO authenticator is installed and utilized (like OIDC or LDAP for example), the worst an attacker can do is break authentication by switching back to the standard authenticator (that's because it's impossible to login to a user which does not have a stored password, and that's usually what SSO authenticator produce). This issue has been patched in versions 15.10.14, 16.4.6, and 16.10.0-rc-1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/46xxx/CVE-2025-46557.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
2d012ed57597a233545023b92eda1ae346f43880
Fixed
26b3bc4fcbf373467d4a70e7127a758dcc37c430
Database specific 
{
    "versions": [
        {
            "introduced": "15.3-rc-1"
        },
        {
            "fixed": "15.10.14"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
6f103dbca9c98cf3b53bfadb83d982facb198d56
Fixed
5292357f68df062a1b2f6a48410c3753e94771d3
Database specific 
{
    "versions": [
        {
            "introduced": "16.0.0-rc-1"
        },
        {
            "fixed": "16.4.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ed06c998964cae931ccfe7005a67eeaedaf60e58
Fixed
12d3595f5d2056af73f65f30211a5085a35cb1ce
Database specific 
{
    "versions": [
        {
            "introduced": "16.5.0-rc-1"
        },
        {
            "fixed": "16.10.0-rc-1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-46557.json"