Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2022-36091

 

Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2022-36091

Published: September 8, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130018
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36091
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the suggestion feature when handling requests for object property suggestions. A remote attacker can send a specially crafted request to disclose sensitive information.

This can expose string and list properties of objects, including private personal information such as email addresses and salted password hashes, as well as sensitive configuration fields.


How to mitigate CVE-2022-36091

Install security update from vendor's website.

Sources