logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-36091 org.xwiki.platform:xwiki-platform-web-templates

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-web-templates
Vulnerable Version: >=1.3 <13.10.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00418 pctl0.61038

Details

XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor ### Impact Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on [private wikis](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/#HPrivateWiki) at least for string properties. ### Patches The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. ### Workarounds The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been [overridden](https://extensions.xwiki.org/xwiki/bin/view/Extension/Skin%20Application#HHowtooverrideatemplate), in which case the overridden template should be patched, too. This might need adjustments for older versions, though. ### References * https://jira.xwiki.org/browse/XWIKI-18849 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org) * Email us at [security mailing-list](mailto:security@xwiki.com)

Metadata

Created: 2022-09-16T17:39:46Z
Modified: 2022-09-16T17:39:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-599v-w48h-rjrm/GHSA-599v-w48h-rjrm.json
CWE IDs: ["CWE-359", "CWE-862"]
Alternative ID: GHSA-599v-w48h-rjrm
Finding: F039
Auto approve: 1