{
  "schema_version": "1.4.0",
  "id": "GHSA-gfp2-6qhm-7x43",
  "modified": "2025-03-19T20:34:56Z",
  "published": "2025-03-19T20:34:55Z",
  "aliases": [
    "CVE-2025-29926"
  ],
  "summary": "The WikiManager REST API allows any user to create wikis",
  "details": "### Impact\n\nAny user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm.\nNote that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager.\n\n### Patches\n\nThe problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.\n\n### Workarounds\n\nThere's no workaround other than upgrading the dependency.\n\n### References\n\n * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-22490\n * Commit of the fix: https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nYou can specify here who reported the issue.",
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-wiki-rest-default"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "5.4-rc-1"
            },
            {
              "fixed": "15.10.15"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-wiki-rest-default"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "16.0.0-rc-1"
            },
            {
              "fixed": "16.4.6"
            }
          ]
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-wiki-rest-default"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "16.5.0-rc-1"
            },
            {
              "fixed": "16.10.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-29926"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-22490"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-862"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-19T20:34:55Z",
    "nvd_published_at": "2025-03-19T18:15:25Z"
  }
}