9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-41930

GHSA ID

GHSA-p5v9-g8w8-5q4v

EPSS Score

0.58962%

CWE

CWE-862

Published

11/21/2022

Updated

1/22/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41930

CVE-2022-41930:
Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui

Impact

Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki.

Patches

The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2.

Workarounds

The problem can be patched immediately by editing the page XWiki.XWikiUserProfileSheet in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa.

References

https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa
https://jira.xwiki.org/browse/XWIKI-19792

For more information

If you have any questions or comments about this advisory:

Open an issue in JIRA
Email us at security ML

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-41930

GHSA ID

GHSA-p5v9-g8w8-5q4v

EPSS Score

0.58962%

CWE

CWE-862

Published

11/21/2022

Updated

1/22/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-user-profile-ui	maven	>= 12.4, < 13.10.7	13.10.7
org.xwiki.platform:xwiki-platform-user-profile-ui	maven	>= 14.0.0, < 14.4.2	14.4.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks in the Velocity template code that processes enable/disable actions. The original code (before patch) only validated CSRF token and user existence, but didn't check: 1) If the requester has admin privileges ($hasAdmin), and 2) If the target user is the current user ($isCurrentUser). The commit diff shows these checks were added in the conditional statement that gates the enable/disable functionality. The file path is explicitly shown in the commit diff, and the CWE-862 (Missing Authorization) classification directly maps to these missing security checks in the template's control flow.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny us*r (lo**** in or not) wit* ****ss to t** p*** XWiki.XWikiUs*rPro*il*S***t **n *n**l* or *is**l* *ny us*r pro*il*. T*is mi**t *llow to * *is**l** us*r to r*-*n**l* t**ms*lv*s, or to *n *tt**k*r to *is**l* *ny us*r o* t** wiki. ###

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in t** V*lo*ity t*mpl*t* *o** t**t pro**ss*s *n**l*/*is**l* **tions. T** ori*in*l *o** (***or* p*t**) only v*li**t** *SR* tok*n *n* us*r *xist*n**, *ut *i*n't ****k: *) I* t** r*qu*st*r **s **

9.1

Basic Information

Concerned about an active attack path?

CVE-2022-41930: Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui

Impact

Patches

Workarounds

References

For more information

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-41930:
Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui

Vulnerability Intelligence
Miggo AI