Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This is fixed in version 16.10.7.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 4.3, < 16.10.7 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73dPatch
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cfVendor Advisory
- https://jira.xwiki.org/browse/XWIKI-23109Issue TrackingVendor Advisory
FAQ
What is CVE-2025-55748?
CVE-2025-55748 is a vulnerability with a CVSS score of 7.5 (HIGH). XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and...
How severe is CVE-2025-55748?
CVE-2025-55748 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55748?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.