Executive Summary
| Informations | |||
|---|---|---|---|
| Name | CVE-2022-36091 | First vendor Publication | 2022-09-08 |
| Vendor | Cve | Last vendor Modification | 2023-07-21 |
Security-Database Scoring CVSS v3
| Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |||
|---|---|---|---|
| Overall CVSS Score | 7.5 | ||
| Base Score | 7.5 | Environmental Score | 7.5 |
| impact SubScore | 3.6 | Temporal Score | 7.5 |
| Exploitabality Sub Score | 3.9 | ||
| Attack Vector | Network | Attack Complexity | Low |
| Privileges Required | None | User Interaction | None |
| Scope | Unchanged | Confidentiality Impact | High |
| Integrity Impact | None | Availability Impact | None |
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : | |||
|---|---|---|---|
| Cvss Base Score | N/A | Attack Range | N/A |
| Cvss Impact Score | N/A | Attack Complexity | N/A |
| Cvss Expoit Score | N/A | Authentication | N/A |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer displayed and rights are checked for other properties. A workaround is available. The template file `suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been overridden, in which case the overridden template should be patched, too. This might need adjustments for older versions, though. |
Original Source
| Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36091 |
CPE : Common Platform Enumeration
Sources (Detail)
| Source | Url |
|---|---|
| CONFIRM | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-599v-w48h-rjrm |
| MISC | https://jira.xwiki.org/browse/XWIKI-18849 |
Alert History
| Date | Informations |
|---|---|
| 2024-09-07 02:31:52 |
|
| 2024-08-02 13:40:01 |
|
| 2024-08-02 01:30:16 |
|
| 2024-02-02 02:37:51 |
|
| 2024-02-01 12:27:41 |
|
| 2023-11-30 02:24:55 |
|
| 2023-11-03 02:32:08 |
|
| 2023-11-01 02:25:41 |
|
| 2023-09-30 13:21:56 |
|
| 2023-09-05 13:32:28 |
|
| 2023-09-05 01:27:06 |
|
| 2023-09-02 13:30:41 |
|
| 2023-09-02 01:27:30 |
|
| 2023-08-30 02:21:37 |
|
| 2023-08-12 13:37:50 |
|
| 2023-08-12 01:26:48 |
|
| 2023-08-11 13:28:26 |
|
| 2023-08-11 01:27:38 |
|
| 2023-08-06 13:26:12 |
|
| 2023-08-06 01:26:31 |
|
| 2023-08-04 13:26:37 |
|
| 2023-08-04 01:26:52 |
|
| 2023-07-22 00:27:35 |
|
| 2023-07-14 13:26:36 |
|
| 2023-07-14 01:26:35 |
|
| 2023-07-12 13:33:59 |
|
| 2023-07-01 02:18:09 |
|
| 2023-05-17 02:15:36 |
|
| 2023-05-02 02:16:35 |
|
| 2023-04-27 02:20:49 |
|
| 2023-04-26 02:19:32 |
|
| 2023-03-15 02:13:20 |
|
| 2023-03-14 02:13:36 |
|
| 2022-12-01 02:08:05 |
|
| 2022-09-15 21:27:19 |
|
| 2022-09-14 00:27:22 |
|
| 2022-09-13 21:27:13 |
|
| 2022-09-08 21:27:10 |
|
