VYPR
Get started
← All advisories
Moderate severityOSV Advisory· Published Jan 10, 2026· Updated Jan 12, 2026

XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService

CVE-2025-65090

Description

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.contrib:macro-fullcalendar-pomMaven
< 2.4.62.4.6

Affected products

1

Patches

1
25bc14c181c9

Merge commit from fork

https://github.com/xwiki-contrib/macro-fullcalendarSorin ChiuchiuAug 6, 2025via ghsa
commit
2 files changed · +36 9
  • macro-fullcalendar-ui/src/main/resources/Calendar/JSONService.xml+34 9 modified
    @@ -1,5 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-
 <!--
  * See the NOTICE file distributed with this work for additional
  * information regarding copyright ownership.
@@ -39,7 +38,34 @@
   <minorEdit>false</minorEdit>
   <syntaxId>xwiki/2.0</syntaxId>
   <hidden>true</hidden>
-  <content>{{velocity filter="html" wiki="false"}}
+  <content>{{velocity output='false'}}
+#macro (getField $classField $useDisplay)
+  #set ($result = $escapetool.xml($services.localization.render('xwiki.calendar.jsonservice.invalid')))
+  #set ($propertyClass = $itemdoc.getFirstObject($classField).getProperty($classField).getPropertyClass())
+  #if ($propertyClass)
+    #if (($propertyClass.getClassType() != 'Email' || !$services.mail.general.shouldObfuscate()) &amp;&amp;
+        $propertyClass.getClassType() != "Password")
+      #if ($useDisplay)
+        #set ($result = $itemdoc.display($classField))
+      #else
+        #set ($result = $itemdoc.getValue($classField))
+        #set ($xdom = $services.rendering.parse($result, 'xwiki/2.1'))
+        #set ($result = $services.rendering.render($xdom, 'plain/1.0'))
+      #end
+    #else
+      #set ($userRef = $xcontext.getUserReference())
+      #if ($isGuest)
+        #set ($userRef = 'guest user')
+      #end
+      #set ($discard = $services.logging.getLogger('Calendar.JSONService').warn("Forbidden access attempt:
+        User: ${userRef}
+        Class: ${request.classname}
+        Field: ${classField}"))
+    #end
+  #end
+#end
+{{/velocity}}
+{{velocity filter="html" wiki="false"}}
 #if ($xcontext.action == 'get' &amp;&amp; $services.csrf.isTokenValid($request.form_token))
   #if ("$!{request.outputSyntax}" == 'plain')
     $response.setContentType('application/json')
@@ -84,13 +110,12 @@
         ## Display the description as plain text. It is expected to be the content of a textarea field, so it has
         ## to be be processed. The $doc.display() method returns the content wrapped in {{html}} macro, which
         ## doesn't help in a wiki="false" environment.
-        #set ($description = $itemdoc.getValue($extraFields[0].trim()))
-        #set ($xdom = $services.rendering.parse($description, 'xwiki/2.1'))
-        #set ($description = $services.rendering.render($xdom, 'plain/1.0'))
-        #set ($currentResult.description = $description)
-
-        #set ($currentResult.location = $itemdoc.display($extraFields[1].trim()))
-        #set ($currentResult.status = $itemdoc.display($extraFields[2].trim()))
+        #getField($extraFields[0].trim() false)
+        #set ($currentResult.description = $result)
+        #getField($extraFields[1].trim() true)
+        #set ($currentResult.location = $result)
+        #getField($extraFields[2].trim() true)
+        #set ($currentResult.status = $result)
       #end
       #if ($end)
         #set ($discard = $currentResult.put('end', $end))
  • macro-fullcalendar-ui/src/main/resources/Calendar/Translations.xml+2 0 modified
    @@ -71,6 +71,8 @@ xwiki.calendar.notification.error=Failed to save the document. Reason: update fa
 xwiki.calendar.notification.loading=Loading calendar...
 xwiki.calendar.notification.loaded=Calendar loaded
 
+xwiki.calendar.jsonservice.invalid=Field not allowed or invalid.
+
 rendering.macro.calendar.name=Calendar
 rendering.macro.calendar.description=Displays a Calendar
 rendering.macro.calendar.parameter.gApiKey.name=gApiKey

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.