CVE-2022-24820 is a medium-severity vulnerability affecting the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. The vulnerability arises from improper access control in the platform's handling of velocity documents, which are templates used to render dynamic content. Specifically, a guest user—who normally lacks permission to view wiki pages—can exploit this flaw to list documents by rendering certain velocity documents. This behavior leads to the exposure of private personal information to unauthorized actors, violating confidentiality principles. The vulnerability affects multiple versions of XWiki Platform prior to 8.4.5, 10.11.8, 11.3.1, and 13.6-rc-1, and has been patched in versions 12.10.11, 13.4.4, and 13.9-rc-1. There is currently no known workaround other than applying the official patches. No known exploits have been reported in the wild to date. The root cause is categorized under CWE-359, which relates to exposure of private personal information to unauthorized actors due to insufficient access control mechanisms. The vulnerability does not require authentication, as it can be triggered by guest users, and does not require user interaction beyond accessing the vulnerable velocity documents. The scope of affected systems includes any deployment of the vulnerable XWiki Platform versions, which are commonly used in enterprise collaboration, knowledge management, and documentation environments.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive information stored within XWiki deployments. Since guest users can enumerate documents without proper authorization, private personal data or proprietary business information may be inadvertently exposed. This could lead to data breaches, regulatory non-compliance (notably with GDPR), reputational damage, and potential legal consequences. Organizations using XWiki for internal documentation, project collaboration, or customer-facing knowledge bases are particularly at risk. The exposure of private information could facilitate further targeted attacks such as social engineering or spear-phishing. Although no known exploits are currently active, the ease of exploitation—requiring no authentication—means that attackers could readily probe vulnerable installations. The integrity and availability of the platform are not directly impacted by this vulnerability, but the confidentiality breach alone warrants prompt attention.

The primary and most effective mitigation is to upgrade affected XWiki Platform instances to the patched versions 12.10.11, 13.4.4, or 13.9-rc-1 or later. Since no workaround is available, patching is critical. Organizations should audit their XWiki deployments to identify versions in use and prioritize patching accordingly. Additionally, restricting guest user access at the network perimeter or via web application firewalls (WAFs) to limit exposure can reduce risk temporarily. Implementing strict access control policies and reviewing velocity document templates for potential information leakage is recommended. Monitoring logs for unusual guest user activity or document enumeration attempts can help detect exploitation attempts. For environments where immediate patching is not feasible, isolating the XWiki platform behind VPNs or internal networks can reduce exposure to unauthorized actors. Finally, organizations should review their data classification and ensure sensitive information is not unnecessarily stored in publicly accessible wiki pages or templates.