Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2022-24820

 

Exposure of Private Information ('Privacy Violation') in XWiki platform - CVE-2022-24820

Published: April 8, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130027
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-24820
CWE-ID: CWE-359
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in multiple velocity templates when rendering velocity documents. A remote attacker can render crafted velocity documents to disclose sensitive information.

Hidden documents can be listed even when the guest user does not have permission to view wiki pages.


How to mitigate CVE-2022-24820

Install security update from vendor's website.

Sources