CVE-2022-23616

HIGH

XWiki Platform 3.1.1-13.1 - Unauthenticated Remote Code Execution via Reset Password Feature

Title source: llm

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset password feature since the feature is performing a save of the user profile with programming rights in the impacted versions of XWiki. The issue has been patched in XWiki 13.1RC1. There are two different possible workarounds, each consisting of modifying the XWiki/ResetPassword page. 1. The Reset password feature can be entirely disabled by deleting the XWiki/ResetPassword page. 2. The script in XWiki/ResetPassword can also be modified or removed: an administrator can replace it with a simple email contact to ask an administrator to reset the password.

References (2)

Core 2

Core References

Third Party Advisory x_refsource_confirm

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mgjw-2wrp-r535

Patch, Vendor Advisory x_refsource_misc

https://jira.xwiki.org/browse/XWIKI-16661

Scores

CVSS v3 8.8

EPSS 0.0249

EPSS Percentile 85.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-74

Status published

Products (3)

org.xwiki.platform/xwiki-platform-administration-ui 3.1-milestone-1 - 13.1RC1Maven

xwiki/xwiki 3.1 milestone1 (3 CPE variants)

xwiki/xwiki 3.1.1 - 13.1

Published Feb 09, 2022

Tracked Since Feb 18, 2026