Main Vulnerability Database Vulnerabilities #VU130016

Authentication bypass using an alternate path or channel in XWiki platform - CVE-2022-36093

Published: September 8, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU130016

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-36093

CWE-ID: CWE-288

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to create user accounts and bypass email verification.

The vulnerability exists due to authentication bypass using an alternate path or channel in the xpart template when passing a distribution wizard template to it. A remote user can pass a distribution wizard template through the xpart template to create user accounts and bypass email verification.

On private wikis, exploitation can potentially grant access to the wiki, and on public wikis the resulting account may obtain write access depending on the configured default user rights. When an external authentication system is configured, created accounts cannot authenticate unless local account bypass is supported.

Remediation

Install security update from vendor's website.

Authentication bypass using an alternate path or channel in XWiki platform - CVE-2022-36093

Description

Remediation

External links

Please verify you're human