Critical severityNVD Advisory· Published Sep 3, 2025· Updated Sep 3, 2025
XWiki Platform's configuration files can be accessed through jsx and sx endpoints
CVE-2025-55748
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-2 through 16.10.6, configuration files are accessible through jsx and sx endpoints. It's possible to access and read configuration files by using URLs such as http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false. This is fixed in version 16.10.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-skin-skinxMaven | >= 4.2-milestone-2, < 16.10.7 | 16.10.7 |
Affected products
2- ghsa-coordsRange: >= 4.2-milestone-2, < 16.10.7
- Range: >= 4.2-milestone-2, < 16.10.7
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-m63c-3rmg-r2cfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-55748ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/9e7b4c03f2143978d891109a17159f73d4cdd318ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-m63c-3rmg-r2cfghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-23109ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.