Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01OTl2LXc0OGgtcmpybc4AAu1h

XWiki Platform Web Templates vulnerable to Missing Authorization, Exposure of Private Personal Information to Unauthorized Actor

Impact

Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties.

Patches

The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties.

Workarounds

The template file suggest.vm can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.

References

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-599v-w48h-rjrm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01OTl2LXc0OGgtcmpybc4AAu1h
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago


CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-599v-w48h-rjrm, CVE-2022-36091
References: Repository: https://github.com/xwiki/xwiki-platform

Affected Packages

maven:org.xwiki.platform:xwiki-platform-web
Affected Version Ranges: >= 14.0, < 14.2
Fixed in: 14.2
maven:org.xwiki.platform:xwiki-platform-web-templates
Affected Version Ranges: >= 1.3, < 13.10.4
Fixed in: 13.10.4