SCA: security update for org.xwiki.platform:xwiki-platform-user-profile-ui (GHSA-p5v9-g8w8-5q4v)

high Tenable Self-Hosted Container Security Plugin ID 417316

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any
user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user
profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any
user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The
problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by
performing the changes contained in https://github.com/xwiki/xwiki-
platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa. (CVE-2022-41930)

See Also

https://github.com/advisories/GHSA-p5v9-g8w8-5q4v

Plugin Details

Severity: High

ID: 417316

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.63

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:P

CVSS Score Source: CVE-2022-41930

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/21/2022

Vulnerability Publication Date: 11/21/2022

Reference Information

CVE: CVE-2022-41930

cwe: CWE-862