CVE-2025-54124

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-54124
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54124.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-54124
Aliases
Published
2025-08-05T23:28:07.166Z
Modified
2026-04-10T05:29:26.189001Z
Severity
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
XWiki Platform: Any user with editing rights can access password properties through Database List Properties
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1.

Database specific 
{
    "cwe_ids": [
        "CWE-359"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54124.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
4e62bf6c41220735266416e6a0e919c1f0dcfef1
Fixed
f5a9a0762750936523187286919ec4c1892d6fea
Database specific 
{
    "versions": [
        {
            "introduced": "9.8-rc-1"
        },
        {
            "fixed": "16.4.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ed06c998964cae931ccfe7005a67eeaedaf60e58
Fixed
f7ffb1f0f550da6c1d6ce60643aa9759e83f99f3
Database specific 
{
    "versions": [
        {
            "introduced": "16.5.0-rc-1"
        },
        {
            "fixed": "16.10.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
445c0831fb8cf5610eda0eb58225890cb2bece6c
Fixed
be57e1cdba445118e8572463e3f1485e5f4d64ef
Database specific 
{
    "versions": [
        {
            "introduced": "17.0.0-rc-1"
        },
        {
            "fixed": "17.2.0-rc-1"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54124.json"