XWiki <=13.10.3 & <14.2: Template Suggestion Leak Sensitive Data
CVE-2022-36091 Published on September 8, 2022

XWiki Platform Web Templates vulnerable to Missing Authorization and Exposure of Private Personal Information to an Unauthorized Actor
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

Github Repository NVD

Vulnerability Analysis

CVE-2022-36091 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2022-36091 has been classified to as an AuthZ vulnerability or weakness.

What is a Privacy violation Vulnerability?

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CVE-2022-36091 has been classified to as a Privacy violation vulnerability or weakness.


Products Associated with CVE-2022-36091

Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.

Xwiki
 

Affected Versions

xwiki-platform:

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-36091

Package Manager Vulnerable Package Versions Fixed In
maven org.xwiki.platform:xwiki-platform-web-templates >= 1.3, < 13.10.4 13.10.4
maven org.xwiki.platform:xwiki-platform-web >= 14.0, < 14.2 14.2

Exploit Probability

EPSS
0.45%
Percentile
63.97%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.