Vulnerability Details : CVE-2022-23619
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to guess if a user has an account on the wiki by using the "Forgot your password" form, even if the wiki is closed to guest users. This problem has been patched on XWiki 12.10.9, 13.4.1 and 13.6RC1. Users are advised yo update. There are no known workarounds for this issue.
Vulnerability category: Information leak
Products affected by CVE-2022-23619
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-23619
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-23619
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-23619
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-23619
-
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-35fg-hjcr-j65f
The "Forgot your password?" form offers too much information concerning user accounts · Advisory · xwiki/xwiki-platform · GitHubThird Party Advisory
-
https://jira.xwiki.org/browse/XWIKI-18787
[XWIKI-18787] The "Forgot your password?" form offers too much information concerning user accounts - XWiki.org JIRAPatch;Vendor Advisory
-
https://github.com/xwiki/xwiki-platform/commit/d8a3cce48e0ac1a0f4a3cea7a19747382d9c9494
XWIKI-18787: Authentication API does not return proper results (#1651) · xwiki/xwiki-platform@d8a3cce · GitHubPatch;Third Party Advisory
Jump to