CVE-2025-65090 Overview
CVE-2025-65090 is an information disclosure vulnerability in the XWiki Full Calendar Macro extension. The vulnerability exists in the Calendar.JSONService page, which fails to properly validate access controls when serving calendar data. Prior to version 2.4.6, users with view rights to the Calendar.JSONService page—including unauthenticated guest users—can exploit this data leak vulnerability to access database information, with the exception of password fields.
Critical Impact
Unauthenticated attackers can extract sensitive database information from affected XWiki installations through the exposed JSONService endpoint.
Affected Products
- XWiki Full Calendar Macro versions prior to 2.4.6
- XWiki installations with the macro-fullcalendar extension enabled
- Systems where guest users have view rights to Calendar.JSONService
Discovery Timeline
- 2026-01-10 - CVE CVE-2025-65090 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-65090
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw resides in the Calendar.JSONService component of the XWiki Full Calendar Macro, which processes and returns calendar-related data from the wiki's database. The service fails to implement proper field validation, allowing unauthorized users to request and retrieve data fields that should be restricted.
The vulnerability enables network-based exploitation without any user interaction or authentication requirements. However, the impact is limited to confidentiality—attackers can only read data, not modify or delete it. Password fields are explicitly excluded from exposure, which slightly mitigates the severity of potential data breaches.
Root Cause
The root cause is improper input validation in the Calendar.JSONService.xml component. The service did not properly restrict which database fields could be queried through the JSON API, allowing users to request arbitrary field data beyond what is necessary for calendar functionality.
Attack Vector
The attack can be executed remotely over the network by any user with view permissions to the Calendar.JSONService page. Since default XWiki configurations often grant guest users view access to most pages, unauthenticated attackers can directly query the vulnerable endpoint to enumerate database content. The attacker crafts requests to the JSONService endpoint with field parameters that expose sensitive wiki object data.
xwiki.calendar.notification.loading=Loading calendar...
xwiki.calendar.notification.loaded=Calendar loaded
+xwiki.calendar.jsonservice.invalid=Field not allowed or invalid.
+
rendering.macro.calendar.name=Calendar
rendering.macro.calendar.description=Displays a Calendar
rendering.macro.calendar.parameter.gApiKey.name=gApiKey
Source: GitHub Commit Changes
The patch introduces a new validation error message xwiki.calendar.jsonservice.invalid that is returned when users attempt to access disallowed or invalid fields.
Detection Methods for CVE-2025-65090
Indicators of Compromise
- Unusual or high-volume requests to the /Calendar/JSONService endpoint
- Access logs showing queries with suspicious field parameters from unauthenticated sessions
- Guest user sessions accessing calendar service endpoints with non-standard parameters
- Database query logs showing excessive field enumeration patterns
Detection Strategies
- Monitor web server access logs for requests to Calendar.JSONService from guest or unexpected users
- Implement rate limiting on the JSONService endpoint to detect enumeration attempts
- Configure alerts for authentication anomalies related to calendar service access
- Review XWiki access logs for patterns indicating systematic data harvesting
Monitoring Recommendations
- Enable verbose logging for the Calendar.JSONService component
- Set up SIEM rules to correlate multiple JSONService requests from single source IPs
- Monitor for bulk data retrieval patterns from the calendar API
- Audit guest user permissions periodically to ensure appropriate access controls
How to Mitigate CVE-2025-65090
Immediate Actions Required
- Upgrade XWiki Full Calendar Macro to version 2.4.6 or later immediately
- Restrict view permissions on the Calendar.JSONService page to authenticated users only
- Review access logs for evidence of prior exploitation
- Audit any data that may have been exposed through the vulnerable endpoint
Patch Information
The vulnerability has been patched in XWiki Full Calendar Macro version 2.4.6. The fix introduces field validation to prevent unauthorized data access through the JSONService endpoint. For technical details, refer to the GitHub Security Advisory GHSA-637h and the associated commit. The issue is also tracked in XWiki JIRA Issue FULLCAL-82.
Workarounds
- Revoke guest user view permissions on the Calendar.JSONService page until the patch can be applied
- Configure web application firewall rules to block suspicious requests to the calendar service
- Disable the Full Calendar Macro extension if not critical to operations
- Implement network-level access controls to limit who can reach the XWiki instance
# Example: Restrict access to JSONService in XWiki (via XWiki administration)
# Navigate to: Administration > Users & Groups > Rights
# For the Calendar.JSONService page:
# - Remove 'View' permission from XWikiGuest group
# - Ensure only authenticated users have access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
