CVE-2022-41930: org.xwiki.platform:xwiki-platform-user-profile-ui missing authorization to enable or disable users
First published: Mon Nov 21 2022(Updated: )
### Impact Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. ### Patches The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. ### Workarounds The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa. ### References * https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa * https://jira.xwiki.org/browse/XWIKI-19792 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.xwiki.platform:xwiki-platform-user-profile-ui | >=14.0.0<14.4.2 | 14.4.2 |
| maven/org.xwiki.platform:xwiki-platform-user-profile-ui | >=12.4<13.10.7 | 13.10.7 |
| Xwiki | >=12.4<13.10.7 | |
| Xwiki | >=14.0.0<14.4.2 | |
| Xwiki | =14.4.3 | |
| Xwiki | =14.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v
- https://jira.xwiki.org/browse/XWIKI-19792
- https://nvd.nist.gov/vuln/detail/CVE-2022-41930
- https://github.com/advisories/GHSA-p5v9-g8w8-5q4v (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-41930?
CVE-2022-41930 is a medium severity vulnerability that allows unauthorized users to enable or disable any user profile.
How do I fix CVE-2022-41930?
To fix CVE-2022-41930, update the XWiki platform to version 14.4.3 or later, or 13.10.7 or later.
Who is affected by CVE-2022-41930?
Any user who has access to the XWiki.XWikiUserProfileSheet page may be affected by CVE-2022-41930.
What versions of XWiki are vulnerable to CVE-2022-41930?
XWiki versions from 12.4 to 14.4.2 are vulnerable to CVE-2022-41930.
What can an attacker do with CVE-2022-41930?
An attacker can potentially disable any user of the wiki or re-enable a disabled user profile due to CVE-2022-41930.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/title
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p5v9-g8w8-5q4v
- alias/CVE-2022-41930
- agent/software-canonical-lookup
- agent/severity
- agent/last-modified-date
- agent/references
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/source
- agent/author
- collector/github-advisory
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/event
- package-manager/maven
- vendor/xwiki
- canonical/xwiki
- version/xwiki/12.4
- version/xwiki/14.0.0
- version/xwiki/14.4.3
- version/xwiki/14.4.4