CVE-2022-24820

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-24820
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24820.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-24820
Aliases
Published
2022-04-08T19:25:10Z
Modified
2026-04-10T04:45:34.680561Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Unauthenticated user can list hidden document from multiple velocity templates
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-359"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24820.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
b72dfa77858847bb8e11b735cf12385520fc2270
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ac12f8e2f29d301d4dcd677381c24b864fa1544b
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
c7632542f15ec0e4c8de414b3f0b671dd7df988d
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "12.10.11"
        },
        {
            "introduced": "13.4.0"
        },
        {
            "fixed": "13.4.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "13.9-NA"
        }
    ]
}

Affected versions

xwiki-platform-12.*
xwiki-platform-12.10
xwiki-platform-12.10.1
xwiki-platform-12.10.10
xwiki-platform-12.10.2
xwiki-platform-12.10.3
xwiki-platform-12.10.4
xwiki-platform-12.10.5
xwiki-platform-12.10.6
xwiki-platform-12.10.7
xwiki-platform-12.10.8
xwiki-platform-12.10.9
xwiki-platform-13.*
xwiki-platform-13.4
xwiki-platform-13.4-rc-1
xwiki-platform-13.4.1
xwiki-platform-13.4.2
xwiki-platform-13.4.3
xwiki-platform-13.9
xwiki-platform-13.9-rc-1
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24820.json"