GHSA-gfp2-6qhm-7x43

Source

https://github.com/advisories/GHSA-gfp2-6qhm-7x43

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-gfp2-6qhm-7x43/GHSA-gfp2-6qhm-7x43.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gfp2-6qhm-7x43

Aliases

CVE-2025-29926

Published

2025-03-19T20:34:55Z

Modified

2025-03-19T21:36:23.382060Z

Severity

7.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H CVSS Calculator

Summary

The WikiManager REST API allows any user to create wikis

Details

Impact

Any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager.

Patches

The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

Workarounds

There's no workaround other than upgrading the dependency.

References

JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22490
Commit of the fix: https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

You can specify here who reported the issue.

Database specific

{
    "nvd_published_at": "2025-03-19T18:15:25Z",
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-19T20:34:55Z"
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-wiki-rest-default

Package

Name: org.xwiki.platform:xwiki-platform-wiki-rest-default; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-rest-default

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.4-rc-1

Fixed

15.10.15

Maven / org.xwiki.platform:xwiki-platform-wiki-rest-default

Package

Name: org.xwiki.platform:xwiki-platform-wiki-rest-default; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-rest-default

Affected ranges

Type: ECOSYSTEM
Events: Introduced

16.0.0-rc-1

Fixed

16.4.6

Maven / org.xwiki.platform:xwiki-platform-wiki-rest-default

Package

Name: org.xwiki.platform:xwiki-platform-wiki-rest-default; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-rest-default

Affected ranges

Type: ECOSYSTEM
Events: Introduced

16.5.0-rc-1

Fixed

16.10.0