Missing Authorization in XWiki platform - CVE-2022-41929

 

Missing Authorization in XWiki platform - CVE-2022-41929

Published: November 21, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130004
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-41929
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to modify user account status.

The vulnerability exists due to missing authorization in User#setDisabledStatus when handling requests to enable or disable a user. A remote privileged user can invoke the affected method to modify user account status.

Only users with Script rights can exploit this issue, even though enabling or disabling users should require admin rights.


How to mitigate CVE-2022-41929

Install security update from vendor's website.

Sources