Information disclosure in XWiki platform - CVE-2022-41935
Published: November 21, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU129997
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-41935
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the LiveTable results endpoint when processing repeated Livetable queries for restricted documents. A remote attacker can send specially crafted queries to disclose sensitive information.
By iteratively refining query terms, an attacker can infer the existence of restricted documents and recover portions of their title, content, or XObject properties.
Remediation
Install security update from vendor's website.