CVE-2025-54124: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform offering runtime services for applications, contains a critical vulnerability (CVE-2025-54124) affecting versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0. The vulnerability allows any user with editing rights to create an XClass with a database list property that references a password property, enabling unauthorized access to password hashes of all users and other password properties (GitHub Advisory).

The vulnerability stems from insufficient validation in the database list property functionality. When a user creates an XClass with a database list property referencing a password property, the content of that password property is displayed when adding an object of that XClass. This affects both hashed and plain storage password properties that are on pages the user can view. The vulnerability has been assigned a CVSS v4.0 score of 7.1 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, indicating network accessibility with low attack complexity (GitHub Advisory).

The vulnerability allows any authenticated user with edit rights to access password hashes of all users in the system, potentially compromising user account security. In standard rights setup configurations, this means any user with an account on the wiki can access these sensitive credentials. Additionally, if password properties are stored in plain text, the actual passwords could be exposed (GitHub Advisory).

The vulnerability has been patched in XWiki versions 16.4.7, 16.10.5, and 17.2.0-rc-1. The fix disallows the use of password properties in database list properties. Additionally, queries for email properties are now disallowed when email obfuscation is enabled. No workarounds are available for this vulnerability, making it critical for affected installations to upgrade to the patched versions (GitHub Advisory).