Unprotected storage of credentials in XWiki platform - CVE-2022-41933
Published: November 21, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130001
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-41933
CWE-ID: CWE-256
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to plaintext storage of a password in the password reset feature when processing a forgotten password reset. A remote privileged user can trigger a password reset and obtain the password from the database to disclose sensitive information.
Only the reset password feature reachable from the "Forgot your password" link is affected, and the issue concerns users of the main wiki rather than subwiki users in farm deployments.
Remediation
Install security update from vendor's website.