CVE-2025-54124 XWiki Platform: Any user with editing rights can access password properties through Database List Properties

🗓️ 05 Aug 2025 23:28:07Reported by GitHub_MType

XWiki Platform allows users with editing rights to access password properties, exposing sensitive data.

Reporter	Title	Published	Views	Family All 11
BDU FSTEC	The vulnerability of the xwiki-platform-oldcore module of the XWiki platform, which is used for creating collaborative web applications. This vulnerability allows attackers to gain unauthorized access to protected information.	7 Aug 202500:00	–	bdu_fstec
CNNVD	XWiki Platform 安全漏洞	6 Aug 202500:00	–	cnnvd
CVE	CVE-2025-54124	5 Aug 202523:28	–	cve
EUVD	EUVD-2025-23656	3 Oct 202520:07	–	euvd
Github Security Blog	XWiki leaks password hashes and other accessible password properties	5 Aug 202517:12	–	github
NVD	CVE-2025-54124	6 Aug 202500:15	–	nvd
OSV	CVE-2025-54124 XWiki Platform: Any user with editing rights can access password properties through Database List Properties	5 Aug 202523:28	–	osv
OSV	GHSA-R38M-CGPG-QJ69 XWiki leaks password hashes and other accessible password properties	5 Aug 202517:12	–	osv
Positive Technologies	PT-2025-31999 · Xwiki · Xwiki Platform	23 Jan 202500:00	–	ptsecurity
RedhatCVE	CVE-2025-54124	7 Aug 202523:32	–	redhatcve

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 9.8-rc-1, < 16.4.7",
        "status": "affected"
      },
      {
        "version": ">= 16.5.0-rc-1, < 16.10.5",
        "status": "affected"
      },
      {
        "version": ">= 17.0.0-rc-1, < 17.2.0-rc-1",
        "status": "affected"
      }
    ]
  }
]

Source	Link
github	www.github.com/xwiki/xwiki-platform/commit/f2ca8649cba2ed3765061660bf5c7f801afa0b24
github	www.github.com/xwiki/xwiki-platform/security/advisories/GHSA-r38m-cgpg-qj69
jira	www.jira.xwiki.org/browse/XWIKI-22811

05 Aug 2025 23:28Current

CVSS 47.1

EPSS0.00108

CWE-359