Lucene search

PRIOn knowledge basePRION:CVE-2022-41930

HistoryNov 23, 2022 - 7:15 p.m.

Authorization

2022-11-2319:15:00

PRIOn knowledge base

www.prio-n.com

authorization

xwiki

user profile

disabled user

attacker

patch

nvd

8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

42.3%

JSON

org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The problem can be patched immediately by editing the page XWiki.XWikiUserProfileSheet in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa.

CPENameOperatorVersion
xwikige14.0.0
xwikilt14.4.2
xwikige12.4
xwikilt13.10.7
xwikieq14.4.3
xwikieq14.4.4

Name	Operator	Version
xwiki	ge	14.0.0
xwiki	lt	14.4.2
xwiki	ge	12.4
xwiki	lt	13.10.7
xwiki	eq	14.4.3
xwiki	eq	14.4.4

References

github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa

github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v

jira.xwiki.org/browse/XWIKI-19792