Publish GHSA-8c52-x9w7-vc95

advisory-database[bot] · advisory-database[bot] · commit e36b52b02b1d · 2025-11-18T19:04:32.000Z
diff --git a/advisories/github-reviewed/2025/11/GHSA-8c52-x9w7-vc95/GHSA-8c52-x9w7-vc95.json b/advisories/github-reviewed/2025/11/GHSA-8c52-x9w7-vc95/GHSA-8c52-x9w7-vc95.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8c52-x9w7-vc95",
+  "modified": "2025-11-18T19:02:15Z",
+  "published": "2025-11-18T19:02:15Z",
+  "aliases": [
+    "CVE-2025-65089"
+  ],
+  "summary": "XWiki view file macro: User can view content of office file without view rights on the attachment ",
+  "details": "### Summary\nA user with no view rights on a page may see the content of an office attachment displayed with the view file macro.\n\n### Details\nIf on a public page is displayed an office attachment from a restricted page, a user with no view rights on the restricted page can view the attachment content, no matter the display type used.\n\n### PoC\n1. Install and activate the Pro Macros application\n2. Create a page and limit the view rights for a test user\n3. Add an attachment to the restricted page\n4. Create a new public page\n5. Add the view file macro and select the attachment from the restricted page using any display type\n6. Login as the test user with restricted view rights\n7. The user will see the content despite having no view rights\n\n### Workarounds\nNone\n\n### Impact\nPrivate data can be leaked if a user knows the reference to an attachment and has edit rights on a page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.xwiki.pro:xwiki-pro-macros-ui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.27.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.26.20"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-8c52-x9w7-vc95"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/xwikisas/xwiki-pro-macros"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-18T19:02:15Z",
+    "nvd_published_at": null
+  }
+}
