CVE-2022-36091 is a security vulnerability affecting the XWiki Platform, a widely used generic wiki platform for collaborative content management. The vulnerability arises from a missing authorization check (CWE-862) in the web template feature, specifically within the 'suggestion' functionality that allows users to query string and list properties of objects. In affected versions prior to 13.10.4 and between 14.0 and 14.2, unauthorized users can access sensitive data properties they should not have permission to view. This includes private personal information such as email addresses and salted password hashes of registered users, as well as sensitive configuration details like LDAP or SMTP server passwords stored in object properties. The vulnerability is further exacerbated by an additional flaw that allows exploitation even on private wikis, at least for string properties, increasing the risk of unauthorized data disclosure. The root cause is the absence of proper rights verification when rendering suggestions, leading to exposure of confidential information. The issue was addressed in versions 13.10.4 and 14.2 by removing password properties from display and enforcing rights checks on other properties. A workaround is available by replacing the vulnerable 'suggest.vm' template file with a patched version, which can be done without upgrading or restarting the platform unless the template has been overridden, in which case the overridden template must also be patched. This vulnerability does not require authentication to exploit and does not depend on user interaction, making it more accessible to attackers. No known exploits have been reported in the wild to date.

For European organizations using XWiki Platform versions prior to 13.10.4 or between 14.0 and 14.2, this vulnerability poses a significant risk to confidentiality and integrity of sensitive data. Unauthorized access to personal user information such as email addresses and password hashes can lead to identity theft, phishing campaigns, and credential stuffing attacks. Exposure of salted password hashes, even if salted, increases the risk of offline password cracking attempts. Leakage of sensitive configuration credentials like LDAP and SMTP passwords can enable attackers to pivot within the network, escalate privileges, or intercept communications. Since the vulnerability can be exploited without authentication and potentially on private wikis, organizations with internal or restricted wikis are also at risk. This could lead to data breaches affecting employee information, intellectual property, or internal communications. The availability impact is minimal, as the vulnerability does not directly cause service disruption. However, the reputational damage and compliance violations (e.g., GDPR) resulting from unauthorized data exposure could be substantial. European organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, are particularly vulnerable to regulatory penalties and loss of trust.

Organizations should prioritize upgrading XWiki Platform to versions 13.10.4 or 14.2 and later, where the vulnerability is fully patched. If immediate upgrading is not feasible, apply the workaround by replacing the 'suggest.vm' template file with the patched version provided by XWiki, ensuring that any overridden templates are also patched accordingly. Conduct a thorough audit of all wiki templates to identify and remediate any custom overrides that might bypass the patch. Restrict access to the wiki platform to trusted networks and users, employing network-level controls such as VPNs or IP whitelisting to reduce exposure. Implement robust monitoring and logging of wiki access and unusual query patterns to detect potential exploitation attempts. Review and minimize the storage of sensitive configuration data within wiki objects, moving credentials to secure vaults or configuration management systems. Enforce strong password policies and multi-factor authentication for wiki administrators to reduce the risk of credential compromise. Finally, conduct user awareness training to highlight the risks of data exposure and encourage prompt reporting of suspicious activity.