Missing Authorization in XWiki platform - CVE-2022-41929
Published: November 21, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130004
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-41929
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to modify user account status.
The vulnerability exists due to missing authorization in User#setDisabledStatus when handling requests to enable or disable a user. A remote privileged user can invoke the affected method to modify user account status.
Only users with Script rights can exploit this issue, even though enabling or disabling users should require admin rights.
Remediation
Install security update from vendor's website.