CVE-2022-36092

Name of the Vulnerable Software and Affected Versions XWiki Platform Old Core versions prior to 14.2 and 13.10.4

Description The issue allows all rights checks that would normally prevent a user from viewing a document on a wiki to be bypassed using the login action and directly specified templates. This exposes the title, content, and comments of any document and properties of objects, though the class and property name must be known. The issue is also exploitable on private wikis.

Recommendations For versions prior to 14.2, update to version 14.2 or later. For versions prior to 13.10.4, update to version 13.10.4 or later. As a temporary workaround, it is possible to protect all templates individually by adding code to check access rights first. However, due to the number of templates and the fact that some of them need to be used without view rights, this seems impractical.