CVE-2022-41936
published 2022-11-22CVE-2022-41936: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.72%
49.4th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. There are no known workarounds.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 14.0 < 14.4.3 | 14.4.3 |
| xwiki | xwiki | >= 14.5 < 14.6 | 14.6 |
| xwiki | xwiki | >= 8.1 < 13.10.8 | 13.10.8 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
ghsa·2022-11-21
CVE-2022-41936 [MEDIUM] CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
### Impact
The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (e.g., comments, page names...).
### Patches
Users should upgrade to XWiki 14.6+, 14.4.3+, or13.10.8+. Older versions have not been patched.
### Workarounds
No known workaround.
### References
- Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
- Jira issue: https://jira.xwiki.org/browse/XWIKI-19997
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [Jira XWiki.org](
OSV
Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
osv·2022-11-21
CVE-2022-41936 [MEDIUM] Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
Exposure of Private Personal Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-rest-server
### Impact
The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (e.g., comments, page names...).
### Patches
Users should upgrade to XWiki 14.6+, 14.4.3+, or13.10.8+. Older versions have not been patched.
### Workarounds
No known workaround.
### References
- Patch: https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
- Jira issue: https://jira.xwiki.org/browse/XWIKI-19997
### For more information
If you have any questions or comments about this advisory:
- Open an issue in [Jira XWiki.org](
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ffhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcchttps://jira.xwiki.org/browse/XWIKI-19997https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ffhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcchttps://jira.xwiki.org/browse/XWIKI-19997
2022-11-22
Published