Improper privilege management in XWiki platform - CVE-2022-31166

 

Improper privilege management in XWiki platform - CVE-2022-31166

Published: September 7, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130021
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-31166
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper privilege management in XWikiRights resolution of groups when editing a right with the object editor. A remote user can add a supplementary empty group value that is resolved as a reference to XWiki.WebHome and then add an XWikiGroup object to grant themselves the privileges related to the edited right to escalate privileges.

The issue depends on XWiki.WebHome being editable, since an empty group value is resolved as a reference to that page.


How to mitigate CVE-2022-31166

Install security update from vendor's website.

Sources