Improper Authorization in XWiki platform - CVE-2022-36090
Published: September 8, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130019
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36090
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to disclose sensitive information and modify data.
The vulnerability exists due to improper authorization in resource handlers, including the REST service, when handling requests from inactive users. A remote user can send a crafted REST call or access unprotected extension resource handlers to disclose sensitive information and modify data.
The issue affects inactive users, including not yet activated and disabled accounts.
Remediation
Install security update from vendor's website.