CVE-2022-41930: org.xwiki.platform:xwiki-platform-user-profile-ui missing authorization to enable or disable users

First published: Mon Nov 21 2022(Updated: )

### Impact Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. ### Patches The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. ### Workarounds The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa. ### References * https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa * https://jira.xwiki.org/browse/XWIKI-19792 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)

Credit: security-advisories@github.com security-advisories@github.com

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-index
• agent/type
• collector/mitre-cve
• source/MITRE
• agent/author
• agent/remedy
• agent/weakness
• agent/title
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-p5v9-g8w8-5q4v
• alias/CVE-2022-41930
• agent/software-canonical-lookup
• agent/severity
• agent/last-modified-date
• agent/references
• agent/source
• agent/softwarecombine
• agent/description
• agent/first-publish-date
• agent/tags
• agent/event
• collector/nvd-cve
• source/NVD
• vendor/xwiki
• canonical/xwiki xwiki
• version/xwiki xwiki/12.4
• version/xwiki xwiki/14.0.0
• version/xwiki xwiki/14.4.3
• version/xwiki xwiki/14.4.4
• package-manager/maven