Improper Authorization in XWiki platform - CVE-2022-36090

 

Improper Authorization in XWiki platform - CVE-2022-36090

Published: September 8, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130019
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36090
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to improper authorization in resource handlers, including the REST service, when handling requests from inactive users. A remote user can send a crafted REST call or access unprotected extension resource handlers to disclose sensitive information and modify data.

The issue affects inactive users, including not yet activated and disabled accounts.


How to mitigate CVE-2022-36090

Install security update from vendor's website.

Sources