CVE-2022-41932

HIGH

XWiki < 13.10.8 - Denial of Service via Crafted User Identifier in Login Form

Title source: llm

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Users are advised to upgrade. There are no known workarounds for this issue.

References (2)

Core 2

Core References

Third Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v

Issue Tracking, Patch, Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-19886

Scores

CVSS v3 7.5

EPSS 0.0019

EPSS Percentile 41.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770 CWE-400

Status published

Products (4)

org.xwiki.platform/xwiki-platform-oldcore 0 - 13.10.8Maven

xwiki/xwiki 14.4.3

xwiki/xwiki 14.4.4

xwiki/xwiki < 13.10.8

Published Nov 23, 2022

Tracked Since Feb 18, 2026