SCA: security update for org.xwiki.platform:xwiki-platform-web, org.xwiki.platform:xwiki-platform-web-templates (GHSA-599v-w48h-rjrm)

high Tenable Self-Hosted Container Security Plugin ID 410722

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the
suggestion feature, string and list properties of objects the user shouldn't have access to can be
accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email
addresses and salted password hashes of registered users but also other information stored in properties
of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By
exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for
string properties. The issue is patched in version 13.10.4 and 14.2. Password properties are no longer
displayed and rights are checked for other properties. A workaround is available. The template file
`suggest.vm` can be replaced by a patched version without upgrading or restarting XWiki unless it has been
overridden, in which case the overridden template should be patched, too. This might need adjustments for
older versions, though. (CVE-2022-36091)

See Also

https://github.com/advisories/GHSA-599v-w48h-rjrm

Plugin Details

Severity: High

ID: 410722

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2022-36091

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/16/2022

Vulnerability Publication Date: 9/8/2022

Reference Information

CVE: CVE-2022-36091