CVE-2025-29925

描述

### Impact Protected pages are listed when requesting the REST endpoints `/rest/wikis/[wikiName]/pages` even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the wiki (actually it only impacts the main wiki due to XWIKI-22639). ### Patches The problem has been patched in XWiki 15.10.14, 16.4.6, 16.10.0RC1. In those versions the endpoint can still be requested but the result is filtered out based on pages rights. ### Workarounds There's no workaround except upgrading or applying manually the changes of the commits (see references) in `xwiki-platform-rest-server` and recompiling / rebuilding it. ### References * Original JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22630 * Related JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22639 * Commits of the patch: https://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206 and https://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

受影響套件(1)

• Maven/org.xwiki.platform:xwiki-platform-rest-server>= 1.9M1, < 15.10.14

CVSS 分數

參考連結(7)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-29925
• PATCHhttps://github.com/xwiki/xwiki-platform
• WEBhttps://github.com/xwiki/xwiki-platform/commit/1fb12d2780f37b34a1b4dfdf8457d97ce5cbb2df
• WEBhttps://github.com/xwiki/xwiki-platform/commit/bca72f5ce971a31dba2a016d8dd8badda4475206
• WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-22q5-9phm-744v
• WEBhttps://jira.xwiki.org/browse/XWIKI-22630
• WEBhttps://jira.xwiki.org/browse/XWIKI-22639