CVE-2022-36091

Published on: Not Yet Published

Last Modified on: 09/13/2022 05:59:00 PM UTC

CVE-2022-36091 - advisory for GHSA-599v-w48h-rjrm

Source: Mitre Source: NIST CVE.ORG Print: PDF PDF
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Certain versions of Xwiki from Xwiki contain the following vulnerability:

XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

  • CVE-2022-36091 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.
  • Affected Vendor/Software: URL Logo xwiki - xwiki-platform version >= 1.3, < 13.10.4
  • Affected Vendor/Software: URL Logo xwiki - xwiki-platform version >= 14.0, < 14.2

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH NONE NONE

CVE References

Description Tags Link
[XWIKI-18849] Private user data are accessible through suggest.vm - XWiki.org JIRA jira.xwiki.org
text/html
URL Logo MISC jira.xwiki.org/browse/XWIKI-18849
Missing Authorization and Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-web-templates · Advisory · xwiki/xwiki-platform · GitHub github.com
text/html
URL Logo CONFIRM github.com/xwiki/xwiki-platform/security/advisories/GHSA-599v-w48h-rjrm

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationXwikiXwikiAllAllAllAll
  • cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2022-36091 : XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through th… twitter.com/i/web/status/1… 2022-09-08 16:11:27
Reddit Logo Icon /r/netcve CVE-2022-36091 2022-09-08 17:38:32
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report