Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2022-24820
Published: April 8, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130027
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-24820
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in multiple velocity templates when rendering velocity documents. A remote attacker can render crafted velocity documents to disclose sensitive information.
Hidden documents can be listed even when the guest user does not have permission to view wiki pages.
Remediation
Install security update from vendor's website.