CVE-2022-36093

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.5 XWiki Platform versions prior to 14.2

Description The issue allows user accounts to be created even when user registration is disabled by passing a template of the distribution wizard to the xpart template, circumventing email verification. This can be exploited on a private wiki, potentially giving the attacker access to the wiki, and may also give attackers write access to an otherwise read-only public wiki. The issue can be exploited when an external authentication system like LDAP is configured, but authentication fails unless the authentication system supports a bypass or local accounts are enabled.

Recommendations For XWiki Platform versions prior to 13.10.5, update to version 13.10.5 or later. For XWiki Platform versions prior to 14.2, update to version 14.2 or later. As a temporary workaround, consider replacing xpart.vm with a patched version from the patch without updating XWiki.