CVE-2022-24820 Unauthenticated user can list hidden document from multiple velocity templates

2022-04-0819:25:10

CWE-359

GitHub_M

www.cve.org

cve-2022-24820

unauthenticated user

list hidden documents

velocity templates

xwiki platform

patch

versions 12.10.11

13.4.4

13.9-rc-1

no workaround

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

30.0%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.

CNA Affected

[
  {
    "product": "xwiki-platform",
    "vendor": "xwiki",
    "versions": [
      {
        "status": "affected",
        "version": "< 8.4.5, < 10.11.8, < 11.3.1, < 13.6-rc-1 "
      }
    ]
  }
]