xwiki xwiki CVE-2022-24821 is a vulnerability in Xwiki
Published on April 8, 2022

Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki.

Github Repository NVD

Vulnerability Analysis

CVE-2022-24821 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-24821. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Incorrect Use of Privileged APIs

The application does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.


Products Associated with CVE-2022-24821

Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.

Xwiki
 

Affected Versions

xwiki-platform Version > 3.1M1 is affected by CVE-2022-24821

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-24821

Package Manager Vulnerable Package Versions Fixed In
maven org.xwiki.platform:xwiki-platform-skin-skinx >= 13.5.0, < 13.10 13.10
maven org.xwiki.platform:xwiki-platform-skin-skinx < 12.10.11 12.10.11
maven org.xwiki.platform:xwiki-platform-skin-skinx >= 13.0.0, < 13.4.6 13.4.6

Exploit Probability

EPSS
0.70%
Percentile
72.45%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.