Authentication bypass using an alternate path or channel in XWiki platform - CVE-2022-36092
Published: September 8, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130017
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36092
CWE-ID: CWE-288
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to authentication bypass using an alternate path or channel in the login action when directly specifying templates. A remote attacker can request restricted documents through the login action to disclose sensitive information.
This can expose document titles, content, comments, and object properties when class and property names are known, including on private wikis.
Remediation
Install security update from vendor's website.