Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2022-36091
Published: September 8, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130018
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36091
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the suggestion feature when handling requests for object property suggestions. A remote attacker can send a specially crafted request to disclose sensitive information.
This can expose string and list properties of objects, including private personal information such as email addresses and salted password hashes, as well as sensitive configuration fields.
Remediation
Install security update from vendor's website.