GHSA-8c52-x9w7-vc95
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8c52-x9w7-vc95
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-8c52-x9w7-vc95/GHSA-8c52-x9w7-vc95.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8c52-x9w7-vc95
- Aliases
-
- CVE-2025-65089
- Published
- 2025-11-18T19:02:15Z
- Modified
- 2025-11-18T19:27:48.640335Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- XWiki view file macro: User can view content of office file without view rights on the attachment
- Details
-
Summary
A user with no view rights on a page may see the content of an office attachment displayed with the view file macro.
Details
If on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no matter the display type used.
PoC
- Install and activate the Pro Macros application
- Create a page and limit the view rights for a test user
- Add an attachment to the restricted page
- Create a new public page
- Add the view file macro and select the attachment from the restricted page using any display type
- Login as the test user with restricted view rights
- The user will see the content despite having no view rights
Workarounds
None
Impact
Private data can be leaked if a user knows the reference to an attachment and has edit rights on a page.
- Database specific
{ "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-862" ], "nvd_published_at": null, "github_reviewed_at": "2025-11-18T19:02:15Z" }- References
Affected packages
Maven / com.xwiki.pro:xwiki-pro-macros-ui
Package
- Name
- com.xwiki.pro:xwiki-pro-macros-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/com.xwiki.pro/xwiki-pro-macros-ui