Auth Bypass XWiki oldcore User#setDisabledStatus (13.x/14.x)
CVE-2022-41929 Published on November 23, 2022
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Vulnerability Analysis
CVE-2022-41929 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-41929. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity, and no impact on availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2022-41929 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2022-41929
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 11.7RC1, < 13.10.7 is affected.
- Version >= 14.0.0, < 14.4.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.