CVE-2022-36092

XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and properties of objects, though class and property name must be known. This is also exploitable on private wikis. This has been patched in versions 14.2 and 13.10.4 by properly checking view rights before loading documents and disallowing non-default templates in the login, registration and skin action. As a workaround, it would be possible to protect all templates individually by adding code to check access rights first.

XWiki Platform Old Core es un paquete central para XWiki Platform, una plataforma wiki genérica. En versiones anteriores a 14.2 y 13.10.4, todas las verificaciones de derechos que normalmente impedirían que un usuario visualice un documento en un wiki pueden omitirse mediante la acción de inicio de sesión y las plantillas especificadas directamente. Esto expone el título, el contenido y los comentarios de cualquier documento y las propiedades de los objetos, aunque es debido conocer el nombre de la clase y la propiedad. Esto también es explotable en wikis privados. Esto ha sido corregido en versiones 14.2 y 13.10.4, al verificar apropiadamente los derechos de visualización antes de cargar documentos y al rechazar las plantillas no predeterminadas en la acción de inicio de sesión, registro y máscara. Como mitigación, sería posible proteger todas las plantillas individualmente al agregar código para verificar primero los derechos de acceso

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-08 CVE Published
2024-03-31 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-287: Improper Authentication

CAPEC

References (5)

URL	Tag	Source
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/71a6d0bb6f8ab718fcfaae0e9b8c16c2d69cd4bb	2022-09-14
https://github.com/xwiki/xwiki-platform/commit/9b7057d57a941592d763992d4299456300918208	2022-09-14

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-18602	2022-09-14
https://jira.xwiki.org/browse/XWIKI-19549	2022-09-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				< 13.10.4 Search vendor "Xwiki" for product "Xwiki" and version " < 13.10.4"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 14.0 < 14.2 Search vendor "Xwiki" for product "Xwiki" and version " >= 14.0 < 14.2"		-		Affected