5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-41936

CVE-2022-41936: Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server

Impact

The modifications rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the modifications rest endpoint (e.g., comments, page names...).

Patches

Users should upgrade to XWiki 14.6+, 14.4.3+, or13.10.8+. Older versions have not been patched.

Workarounds

No known workaround.

References

Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
Jira issue: https://jira.xwiki.org/browse/XWIKI-19997

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-41936

CVE-2022-41936:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 8.1, < 13.10.8	13.10.8
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 14.0.0, < 14.4.3	14.4.3
org.xwiki.platform:xwiki-platform-rest-server	maven	>= 14.5.0, < 14.6	14.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks in the modifications endpoint handler. The pre-patch code in ModificationsResourceImpl.java directly processed database query results and exposed document metadata without verifying if the user has VIEW rights. The critical addition in the patch (authorizationManager.hasAccess(VIEW, documentReference)) confirms the vulnerability existed in the original implementation of this method. The test file added in the commit further validates that permission checks are now enforced at this entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-41936: Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server

Impact

Patches

Workarounds

References

For more information

CVE-2022-41936:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

5.3

5.3

Basic Information

Basic Information

CVE-2022-41936: Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server

Impact

Patches

Workarounds

References

For more information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI