GHSA-637h-ch24-xp9m
Suggest an improvement- Source
- https://github.com/advisories/GHSA-637h-ch24-xp9m
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-637h-ch24-xp9m/GHSA-637h-ch24-xp9m.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-637h-ch24-xp9m
- Aliases
- Published
- 2026-01-09T18:35:57Z
- Modified
- 2026-01-11T15:31:45.967747Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- XWiki Full Calendar Macro vulnerable to data leak through Calendar.JSONService
- Details
-
Impact
Anyone who has view rights on the
Calendar.JSONServicepage, including guest users can exploit this vulnerability by accessing database info, with the exception of passwords.Workarounds
Remove the
Calendar.JSONServicepage. This will however break some functionalities.References
Jira issue: * FULLCAL-82: Calendar.JSONService exposes emails of all users
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-01-09T18:35:57Z", "severity": "MODERATE", "nvd_published_at": "2026-01-10T04:16:01Z", "cwe_ids": [ "CWE-200" ] }- References
-
- https://github.com/xwiki-contrib/macro-fullcalendar/security/advisories/GHSA-637h-ch24-xp9m
- https://nvd.nist.gov/vuln/detail/CVE-2025-65090
- https://github.com/xwiki-contrib/macro-fullcalendar/commit/25bc14c181c9a92f493b20ac264388c7ba171884
- https://github.com/xwiki-contrib/macro-fullcalendar
- https://jira.xwiki.org/browse/FULLCAL-82
Affected packages
Maven / org.xwiki.contrib:macro-fullcalendar-pom
Package
- Name
- org.xwiki.contrib:macro-fullcalendar-pom
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.contrib/macro-fullcalendar-pom