Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-31487— The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server

CVSS 7.7 · High EPSS 0.23% · P45
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-31487

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server
Source: NVD (National Vulnerability Database)
Vulnerability Description
The XWiki JIRA extension provides various integration points between XWiki and JIRA (macros, UI, CKEditor plugin). If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns an XML specifying a DOCTYPE pointing to a local file on the XWiki server host and displaying that file's content in one of the returned JIRA fields (such as the summary or description for example). The vulnerability has been patched in the JIRA Extension v8.6.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Vulnerability Title
JIRA Integration 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
JIRA Integration是XWiki Contrib开源的一个开发工具。 JIRA Integration存在代码问题漏洞,该漏洞源于JIRA宏可指定伪造URL,可能导致本地文件内容泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
xwiki-contribjira >= 4.2, < 8.5.6 -

II. Public POCs for CVE-2025-31487

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-31487

登录查看更多情报信息。

IV. Related Vulnerabilities

Same product: jira
Same vendor: xwiki-contrib
Same weakness: CWE-611

V. Comments for CVE-2025-31487

No comments yet

Leave a comment