CVE-2022-36092 — HIGH (7.5)

Q: How severe is CVE-2022-36092?

CVE-2022-36092 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-36092?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.

Vulnerability Description

XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and properties of objects, though class and property name must be known. This is also exploitable on private wikis. This has been patched in versions 14.2 and 13.10.4 by properly checking view rights before loading documents and disallowing non-default templates in the login, registration and skin action. As a workaround, it would be possible to protect all templates individually by adding code to check access rights first.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Xwiki	Xwiki	< 13.10.4

Related Weaknesses (CWE)

CWE-287

References

https://github.com/xwiki/xwiki-platform/commit/71a6d0bb6f8ab718fcfaae0e9b8c16c2dPatchThird Party Advisory
https://github.com/xwiki/xwiki-platform/commit/9b7057d57a941592d763992d429945630PatchThird Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfmThird Party Advisory
https://jira.xwiki.org/browse/XWIKI-18602Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19549Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/71a6d0bb6f8ab718fcfaae0e9b8c16c2dPatchThird Party Advisory
https://github.com/xwiki/xwiki-platform/commit/9b7057d57a941592d763992d429945630PatchThird Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfmThird Party Advisory
https://jira.xwiki.org/browse/XWIKI-18602Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19549Vendor Advisory

FAQ

What is CVE-2022-36092?

CVE-2022-36092 is a vulnerability with a CVSS score of 7.5 (HIGH). XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document ...

How severe is CVE-2022-36092?

CVE-2022-36092 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-36092?

Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.