2 matches found
CVE-2022-39387
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Prior to version 1.29.1, even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider its details through request parameters. One can then bypass the XWi...
CVE-2022-39387
XWiki OIDC authenticator (prior to 1.29.1) is vulnerable to authentication bypass by supplying a custom OpenID provider through request parameters (oidc.endpoint.* or oidc.xwikiprovider) and can also map the user to XWikiAdminGroup via oidc.groups.mapping. This stems from improper authentication ...