XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.

Basic Information

ID CVE-2025-65090

Source GitHub_M

Published Jan 10, 2026 at 03:05

Modified Jan 10, 2026 at 03:06

Affected Product

Vendor xwiki-contrib

Product macro-fullcalendar

Version < 2.4.6

Affected Versions xwiki-contrib macro-fullcalendar < 2.4.6

CWE Classification

CWE-200

References

{
    "lastseen": "",
    "description": "XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page (including guest users) can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has been patched in version 2.4.6.",
    "published": "2026-01-10T03:05:06.531Z",
    "modified": "2026-01-10T03:06:03.471Z",
    "type": "cve",
    "title": "XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService",
    "source": "GitHub_M",
    "references": "https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m\nhttps://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884\nhttps://jira.xwiki.org/browse/FULLCAL-82",
    "id": "CVE-2025-65090",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "xwiki-contrib macro-fullcalendar < 2.4.6",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "macro-fullcalendar",
    "version": "< 2.4.6",
    "vendor": "xwiki-contrib",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService_CVE-2025-65090