CVE-2022-24820

MEDIUM

Xwiki < 12.10.11 - Missing Authentication

Title source: rule

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.

References (2)

[Third Party Advisory] https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qpp2-2mcp-2wm5

[Exploit, Issue Tracking, Third Party Advisory] https://jira.xwiki.org/browse/XWIKI-16544

Scores

CVSS v3 5.3

EPSS 0.0012

EPSS Percentile 30.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-359 CWE-306

Status published

Products (3)

org.xwiki.platform/xwiki-platform-web 0 - 12.10.11Maven

xwiki/xwiki 13.9

xwiki/xwiki < 12.10.11

Published Apr 08, 2022

Tracked Since Feb 18, 2026