Improper Authorization Affecting org.xwiki.platform:xwiki-platform-oldcore package, versions [,13.10.5)[14.0-rc-1,14.3-rc-1)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.22% (60th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGXWIKIPLATFORM-3019830
  • published9 Sept 2022
  • disclosed9 Sept 2022
  • creditThomas Mortagne

Introduced: 9 Sep 2022

CVE-2022-36090  (opens in a new tab)
CWE-285  (opens in a new tab)

How to fix?

Upgrade org.xwiki.platform:xwiki-platform-oldcore to version 13.10.5, 14.3-rc-1 or higher.

Overview

org.xwiki.platform:xwiki-platform-oldcore is a generic wiki platform offering runtime services for applications built on top of it.

Affected versions of this package are vulnerable to Improper Authorization due to missing a check for inactive (not yet activated or disabled) users in XWiki, including in the REST service. This means a disabled user can enable themselves using a REST call.

CVSS Scores

version 3.1