CVE-2022-36090

Name of the Vulnerable Software and Affected Versions XWiki Platform Old Core versions prior to 13.1.0.5 and 14.3-rc-1

Description The issue arises from missing checks for inactive users in XWiki, including the REST service, allowing a disabled user to enable themselves using a REST call. Some resources handler created by extensions are also not protected by default, enabling inactive users to perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki and is more critical for versions 11.3-rc-1 and later.

Recommendations For versions prior to 13.1.0.5 and 14.3-rc-1, upgrade to XWiki 13.10.5 or XWiki 14.3-rc-1 to resolve the issue. As a temporary workaround is not available, upgrading XWiki is the only solution to mitigate the risk.