SCA: security update for org.xwiki.platform:xwiki-platform-oldcore (GHSA-jgc8-gvcx-9vfx)

high Tenable Cloud Security Plugin ID 416350

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions
13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled)
users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST
call. On the same way some resources handler created by extensions are not protected by default, so an
inactive user could perform actions for such extensions. This issue has existed since at least version 1.1
of XWiki for instance configured with the email activation required for new users. Now it's more critical
for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without
deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There
is no workaround for this other than upgrading XWiki. (CVE-2022-36090)

See Also

https://github.com/advisories/GHSA-jgc8-gvcx-9vfx

Plugin Details

Severity: High

ID: 416350

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:N

CVSS Score Source: CVE-2022-36090

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/16/2022

Vulnerability Publication Date: 9/8/2022

Reference Information

CVE: CVE-2022-36090

cwe: CWE-285