XWiki Platform Web Template: User Creation Bypass (CVE-2022-36093)
CVE-2022-36093 Published on September 8, 2022
XWiki Platform Web Templates vulnerable to Unauthorized User Registration Through the Distribution Wizard
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. By passing a template of the distribution wizard to the xpart template, user accounts can be created even when user registration is disabled. This also circumvents any email verification. Before versions 14.2 and 13.10.4, this can also be exploited on a private wiki, thus potentially giving the attacker access to the wiki. Depending on the configured default rights of users, this could also give attackers write access to an otherwise read-only public wiki. Users can also be created when an external authentication system like LDAP is configured, but authentication fails unless the authentication system supports a bypass/local accounts are enabled in addition to the external authentication system. This issue has been patched in XWiki 13.10.5 and 14.3RC1. As a workaround, one may replace `xpart.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.
Vulnerability Analysis
CVE-2022-36093 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Types
Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.
What is an authentification Vulnerability?
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
CVE-2022-36093 has been classified to as an authentification vulnerability or weakness.
Products Associated with CVE-2022-36093
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 8.0-rc-1, < 13.10.5 is affected.
- Version >= 14.0, < 14.3-rc-1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2022-36093
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.platform:xwiki-platform-web-templates | < 13.10.5 | 13.10.5 |
| maven | org.xwiki.platform:xwiki-platform-web | >= 8.0-rc-1, < 13.10.5 | 13.10.5 |
| maven | org.xwiki.platform:xwiki-platform-web-templates | >= 14.0, < 14.3-rc-1 | 14.3-rc-1 |
| maven | org.xwiki.platform:xwiki-platform-web | >= 14.0, < 14.3-rc-1 | 14.3-rc-1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.