CVE-2025-65090: XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
(updated )
Anyone who has view rights on the Calendar.JSONService page, including guest users can exploit this vulnerability by accessing database info, with the exception of passwords.
References
- github.com/advisories/GHSA-637h-ch24-xp9m
- github.com/xwiki-contrib/macro-fullcalendar
- github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884
- github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m
- jira.xwiki.org/browse/FULLCAL-82
- nvd.nist.gov/vuln/detail/CVE-2025-65090
Code Behaviors & Features
Detect and mitigate CVE-2025-65090 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →