XWiki Platform Core Bypass Docs View Rights (14.2/13.10.4)
CVE-2022-36092 Published on September 8, 2022

XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and properties of objects, though class and property name must be known. This is also exploitable on private wikis. This has been patched in versions 14.2 and 13.10.4 by properly checking view rights before loading documents and disallowing non-default templates in the login, registration and skin action. As a workaround, it would be possible to protect all templates individually by adding code to check access rights first.

Github Repository NVD

Vulnerability Analysis

CVE-2022-36092 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

What is an authentification Vulnerability?

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

CVE-2022-36092 has been classified to as an authentification vulnerability or weakness.


Products Associated with CVE-2022-36092

Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.

Xwiki
 

Affected Versions

xwiki-platform:

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-36092

Package Manager Vulnerable Package Versions Fixed In
maven org.xwiki.platform:xwiki-platform-oldcore < 13.10.4 13.10.4
maven org.xwiki.platform:xwiki-platform-oldcore >= 14.0, < 14.2 14.2

Exploit Probability

EPSS
0.29%
Percentile
53.00%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.