CVE-2022-23621 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability exists in certain versions of XWiki Platform prior to the patched releases 12.10.9, 13.4.3, and 13.7-rc-1. Specifically, any user with the SCRIPT right can exploit this flaw to read arbitrary files located within the XWiki WAR archive, including sensitive configuration files such as xwiki.cfg and xwiki.properties. This is achieved by invoking the method XWiki#invokeServletAndReturnAsString with a path to the target file, for example, $xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg"). The root cause is the lack of proper authorization checks when accessing these internal files, allowing users with SCRIPT privileges to bypass intended access controls. The vulnerability does not require elevated privileges beyond SCRIPT rights, nor does it require additional user interaction beyond executing the script. Although no known exploits have been reported in the wild, the exposure of configuration files can lead to significant information disclosure, potentially revealing database credentials, internal URLs, or other sensitive operational parameters. The issue has been addressed by the vendor through patches in the specified versions, and the only interim mitigation is to restrict SCRIPT rights to trusted users only.

For European organizations using affected versions of XWiki Platform, this vulnerability poses a medium-level risk primarily due to unauthorized disclosure of sensitive configuration files. Exposure of these files can compromise confidentiality by revealing credentials, internal service endpoints, or security settings, which could facilitate further attacks such as privilege escalation, lateral movement, or data exfiltration. Integrity and availability impacts are less direct but could follow if attackers leverage disclosed information to deploy secondary attacks. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) could face compliance risks if sensitive data is leaked. Since the vulnerability requires SCRIPT rights, the impact depends on how broadly these rights are assigned within an organization. Misconfigured or overly permissive access controls could increase risk. The absence of known exploits suggests limited active targeting, but the ease of exploitation and potential impact warrant prompt remediation. European organizations relying on XWiki for internal documentation, collaboration, or application platforms should prioritize patching to prevent unauthorized access to critical configuration data.

1. Immediate patching: Upgrade XWiki Platform installations to versions 12.10.9, 13.4.3, or 13.7-rc-1 or later where the vulnerability is fixed. 2. Restrict SCRIPT rights: Audit current user permissions and limit SCRIPT rights strictly to trusted administrators or service accounts. Avoid granting SCRIPT rights to general users or untrusted parties. 3. Monitor usage: Implement logging and monitoring of SCRIPT executions to detect unusual or unauthorized attempts to invoke internal servlets or access sensitive files. 4. Configuration review: Review and harden configuration files to minimize sensitive information exposure, such as using environment variables or external secrets management where possible. 5. Network segmentation: Isolate XWiki instances within secure network zones to reduce exposure to unauthorized users. 6. Incident response readiness: Prepare to investigate and respond to any suspicious activity related to XWiki, including potential data access or exfiltration attempts. 7. User training: Educate administrators and users with SCRIPT rights about the risks and proper usage to prevent accidental misuse.