PT-2022-26161 · Xwiki · Xwiki-Platform-User-Profile-Ui
Michael Hamann
·
Published
2022-11-21
·
Updated
2022-11-30
·
CVE-2022-41930
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
xwiki-platform-user-profile-ui versions prior to 13.10.7
xwiki-platform-user-profile-ui versions prior to 14.4.2
xwiki-platform-user-profile-ui versions prior to 14.5RC1
Description
The issue is related to missing authorization in the xwiki-platform-user-profile-ui, allowing any user with access to the page XWiki.XWikiUserProfileSheet to enable or disable any user profile. This could allow a disabled user to re-enable themselves or an attacker to disable any user of the wiki.
Recommendations
For versions prior to 13.10.7, update to version 13.10.7 or later.
For versions prior to 14.4.2, update to version 14.4.2 or later.
For versions prior to 14.5RC1, update to version 14.5RC1 or later.
As a temporary workaround, consider editing the page
XWiki.XWikiUserProfileSheet in the wiki and performing the changes contained in the provided commit.Exploit
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki-Platform-User-Profile-Ui