PT-2022-16135 · Xwiki · Xwiki Platform
Nancheal
·
Published
2022-02-09
·
Updated
2023-07-13
·
CVE-2022-23621
CVSS v3.1
5.5
Medium
| Vector | AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 12.10.9
XWiki Platform versions prior to 13.4.3
XWiki Platform versions prior to 13.7-rc-1
Description
The issue allows any user with SCRIPT right to read any file located in the XWiki WAR, such as xwiki.cfg and xwiki.properties, through XWiki#invokeServletAndReturnAsString as
$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg").Recommendations
For versions prior to 12.10.9, update to version 12.10.9 or later.
For versions prior to 13.4.3, update to version 13.4.3 or later.
For versions prior to 13.7-rc-1, update to version 13.7-rc-1 or later.
As a temporary workaround, consider limiting the SCRIPT right to trusted users.
Exploit
Fix
Missing Authorization
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform