Improper access control in XWiki platform - CVE-2022-23615
Published: February 9, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130041
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-23615
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and modify data.
The vulnerability exists due to improper access control in document saving with programming rights when saving a document with the rights of the current user. A remote privileged user can save a document that will have the rights of the current user to disclose sensitive information and modify data.
User interaction is required, and exploitation is possible when the current user has programming right.
How to mitigate CVE-2022-23615
Install security update from vendor's website.