Xwiki Commons
Monthly
Path traversal in XWiki Platform allows unauthenticated remote attackers to read arbitrary files on the server, including sensitive configuration like WEB-INF/xwiki.cfg, by abusing the resource parameter of the ssx and jsx endpoints with leading-slash prefixes. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege exploitation with high impact to confidentiality, integrity, and availability of the vulnerable component. No public exploit identified at time of analysis, though the GitHub Security Advisory includes a working URL pattern that effectively demonstrates the issue.
Path traversal in XWiki Platform allows unauthenticated remote attackers to read arbitrary files on the server, including sensitive configuration like WEB-INF/xwiki.cfg, by abusing the resource parameter of the ssx and jsx endpoints with leading-slash prefixes. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege exploitation with high impact to confidentiality, integrity, and availability of the vulnerable component. No public exploit identified at time of analysis, though the GitHub Security Advisory includes a working URL pattern that effectively demonstrates the issue.