CVE-2022-36091

XWiki Platform Web Templates vulnerable to Missing Authorization and Exposure of Private Personal Information to an Unauthorized Actor

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

XWiki Platform Web Templates son plantillas para la plataforma XWiki, una plataforma wiki genérica. mediante la funcionalidad de sugerencia, puede acceder a las propiedades de cadena y lista de los objetos a los que el usuario no debería tener acceso en versiones anteriores a 13.10.4 y 14.2. Esto incluye información personal privada como direcciones de correo electrónico y hashes de contraseñas saladas de usuarios registrados, pero también otra información almacenada en las propiedades de los objetos. Podría accederse a campos de configuración confidenciales como contraseñas para servidores LDAP o SMTP. Al explotar una vulnerabilidad adicional, este problema puede incluso explotarse en wikis privados al menos para las propiedades de cadenas. El problema está parcheado en versiones 13.10.4 y 14.2. Las propiedades de la contraseña ya no son mostradas y los derechos son verificados para otras propiedades. Se presenta una mitigación disponible. El archivo de plantilla "suggest. vm" puede reemplazarse por una versión parcheada sin actualizar o reiniciar XWiki a menos que haya sido anulada, en cuyo caso la plantilla anulada también debe ser parcheada. Sin embargo, esto podría necesitar ajustes para versiones anteriores

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-08 CVE Published
2024-03-31 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
CWE-862: Missing Authorization

CAPEC

References (2)

URL	Tag	Source
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-599v-w48h-rjrm	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-18849	2023-07-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 1.3 < 13.10.4 Search vendor "Xwiki" for product "Xwiki" and version " >= 1.3 < 13.10.4"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 14.0 < 14.2 Search vendor "Xwiki" for product "Xwiki" and version " >= 14.0 < 14.2"		-		Affected