CVE-2022-31166: CWE-269: Improper Privilege Management in xwiki xwiki-platform
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it.
AI Analysis
Technical Summary
CVE-2022-31166 is a vulnerability classified under CWE-269 (Improper Privilege Management) affecting the XWiki Platform, a widely used generic wiki platform. The vulnerability exists in the XWikiRights resolution mechanism for groups within certain versions of the XWiki Platform core package (specifically versions >= 11.3.7 and < 13.10.4, and >= 14.0-rc-1 and < 14.2-rc-1). The issue arises when editing rights using the object editor, which inadvertently adds an empty value to the groups attribute. This empty value is interpreted as a reference to the XWiki.WebHome page. By adding an XWikiGroup xobject to the XWiki.WebHome page, an attacker can convert this page into a group. Any user added to this group then inherits the privileges associated with the edited right, effectively allowing privilege escalation. Although the default configuration typically protects the XWiki.WebHome page and the XWiki space from unauthorized edits, misconfigurations or insufficient access controls could allow exploitation. The vulnerability has been patched in versions 13.10.4 and 14.2RC1 by ignoring empty values in XWikiRights resolution, preventing this escalation vector. A workaround involves explicitly setting strict edit rights on the XWiki.WebHome page to prevent unauthorized modifications. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations using vulnerable versions of the XWiki Platform, this vulnerability poses a significant risk of privilege escalation. An attacker with limited editing rights could exploit this flaw to gain elevated privileges, potentially allowing unauthorized access to sensitive wiki content, modification of critical documentation, or disruption of collaboration workflows. This could lead to confidentiality breaches, integrity violations, and availability issues if critical pages are altered or deleted. Organizations relying on XWiki for internal knowledge management, documentation, or collaboration—especially in sectors like government, finance, healthcare, and research—may face operational disruptions and reputational damage. The risk is heightened if default protections on XWiki.WebHome are weakened or misconfigured. Although no active exploitation is known, the ease of exploitation through the object editor and the broad scope of affected versions make timely remediation critical.
Mitigation Recommendations
1. Upgrade affected XWiki Platform instances to versions 13.10.4 or later, or 14.2RC1 or later, where the vulnerability is patched. 2. As an immediate workaround, enforce strict access controls on the XWiki.WebHome page and the entire XWiki space to restrict edit permissions only to trusted administrators. 3. Audit existing group and rights configurations to detect any unauthorized or suspicious group objects on the XWiki.WebHome page. 4. Implement monitoring and alerting for changes to critical pages, especially XWiki.WebHome, to detect potential exploitation attempts. 5. Educate administrators and users about the risks of improper rights editing and the importance of maintaining secure configurations. 6. Regularly review and harden wiki platform security settings, including minimizing the number of users with edit rights on sensitive pages. 7. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting rights editing functionalities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Belgium, Poland, Finland
CVE-2022-31166: CWE-269: Improper Privilege Management in xwiki xwiki-platform
Description
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the object editor leads to adding a supplementary empty value to groups which is then resolved as a reference to XWiki.WebHome page. Adding an XWikiGroup xobject to that page then transforms it to a group, any user put in that group would then obtain the privileges related to the edited right. Note that this security issue is normally mitigated by the fact that XWiki.WebHome (and XWiki space in general) should be protected by default for edit rights. The problem has been patched in XWiki 13.10.4 and 14.2RC1 to not consider anymore empty values in XWikiRights. It's possible to work around the problem by setting appropriate rights on XWiki.WebHome page to prevent users to edit it.
AI-Powered Analysis
Technical Analysis
CVE-2022-31166 is a vulnerability classified under CWE-269 (Improper Privilege Management) affecting the XWiki Platform, a widely used generic wiki platform. The vulnerability exists in the XWikiRights resolution mechanism for groups within certain versions of the XWiki Platform core package (specifically versions >= 11.3.7 and < 13.10.4, and >= 14.0-rc-1 and < 14.2-rc-1). The issue arises when editing rights using the object editor, which inadvertently adds an empty value to the groups attribute. This empty value is interpreted as a reference to the XWiki.WebHome page. By adding an XWikiGroup xobject to the XWiki.WebHome page, an attacker can convert this page into a group. Any user added to this group then inherits the privileges associated with the edited right, effectively allowing privilege escalation. Although the default configuration typically protects the XWiki.WebHome page and the XWiki space from unauthorized edits, misconfigurations or insufficient access controls could allow exploitation. The vulnerability has been patched in versions 13.10.4 and 14.2RC1 by ignoring empty values in XWikiRights resolution, preventing this escalation vector. A workaround involves explicitly setting strict edit rights on the XWiki.WebHome page to prevent unauthorized modifications. No known exploits have been reported in the wild to date.
Potential Impact
For European organizations using vulnerable versions of the XWiki Platform, this vulnerability poses a significant risk of privilege escalation. An attacker with limited editing rights could exploit this flaw to gain elevated privileges, potentially allowing unauthorized access to sensitive wiki content, modification of critical documentation, or disruption of collaboration workflows. This could lead to confidentiality breaches, integrity violations, and availability issues if critical pages are altered or deleted. Organizations relying on XWiki for internal knowledge management, documentation, or collaboration—especially in sectors like government, finance, healthcare, and research—may face operational disruptions and reputational damage. The risk is heightened if default protections on XWiki.WebHome are weakened or misconfigured. Although no active exploitation is known, the ease of exploitation through the object editor and the broad scope of affected versions make timely remediation critical.
Mitigation Recommendations
1. Upgrade affected XWiki Platform instances to versions 13.10.4 or later, or 14.2RC1 or later, where the vulnerability is patched. 2. As an immediate workaround, enforce strict access controls on the XWiki.WebHome page and the entire XWiki space to restrict edit permissions only to trusted administrators. 3. Audit existing group and rights configurations to detect any unauthorized or suspicious group objects on the XWiki.WebHome page. 4. Implement monitoring and alerting for changes to critical pages, especially XWiki.WebHome, to detect potential exploitation attempts. 5. Educate administrators and users about the risks of improper rights editing and the importance of maintaining secure configurations. 6. Regularly review and harden wiki platform security settings, including minimizing the number of users with edit rights on sensitive pages. 7. Consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting rights editing functionalities.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6893
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 11:43:53 PM
Last updated: 8/17/2025, 7:38:00 PM
Views: 14
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.