CVE-2022-36091

Name of the Vulnerable Software and Affected Versions XWiki Platform Web Templates versions prior to 13.10.4 and 14.2

Description The issue allows access to string and list properties of objects that the user should not have access to, including private personal information like email addresses and salted password hashes of registered users, as well as sensitive configuration fields like passwords for LDAP or SMTP servers. This can be exploited on private wikis at least for string properties by exploiting an additional vulnerability.

Recommendations For versions prior to 13.10.4, update to version 13.10.4 or later. For versions prior to 14.2, update to version 14.2 or later. As a temporary workaround, consider replacing the template file suggest.vm with a patched version without upgrading or restarting XWiki, unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though.