Information disclosure in XWiki platform - CVE-2022-41935

 

Information disclosure in XWiki platform - CVE-2022-41935

Published: November 21, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU129997
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-41935
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the LiveTable results endpoint when processing repeated Livetable queries for restricted documents. A remote attacker can send specially crafted queries to disclose sensitive information.

By iteratively refining query terms, an attacker can infer the existence of restricted documents and recover portions of their title, content, or XObject properties.


How to mitigate CVE-2022-41935

Install security update from vendor's website.

Sources