CVE-2022-36092 is a vulnerability classified under CWE-287 (Improper Authentication) affecting the XWiki Platform, a widely used generic wiki platform. Specifically, the flaw exists in the XWiki Platform Old Core package versions prior to 13.10.4 and between 14.0 and 14.2. The vulnerability allows an attacker to bypass rights checks that normally restrict document viewing permissions. This bypass is achieved by exploiting the login action combined with the use of directly specified templates, which circumvent the usual access control mechanisms. Consequently, an attacker can access sensitive information such as the title, content, comments of any document, and properties of objects within the wiki, provided they know the class and property names. This exposure extends even to private wikis, which are typically restricted to authorized users only. The root cause is the failure to properly verify view rights before loading documents and the allowance of non-default templates in login, registration, and skin actions. The issue was addressed in versions 13.10.4 and 14.2 by enforcing proper access checks and disallowing non-default templates in sensitive actions. As a temporary mitigation, administrators could protect individual templates by adding custom access control code to ensure rights are checked before document rendering. No known exploits have been reported in the wild to date, but the vulnerability presents a significant risk due to the sensitive nature of the exposed data and the ease of bypassing authentication controls.

For European organizations using vulnerable versions of XWiki Platform, this vulnerability poses a significant risk to confidentiality and integrity of internal documentation and data. Since XWiki is often used for collaborative knowledge management, unauthorized access could lead to exposure of proprietary information, internal communications, project details, and potentially sensitive business data. The ability to bypass authentication and view private wiki content could facilitate further attacks such as social engineering, intellectual property theft, or insider threat exploitation. The integrity of the wiki content could also be indirectly impacted if attackers leverage the information gained to manipulate or disrupt operations. Availability is less directly affected, but reputational damage and compliance violations (e.g., GDPR) due to data leakage could have severe consequences. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, are particularly at risk. The lack of known exploits suggests limited active exploitation, but the vulnerability’s straightforward nature means it could be targeted once widely known.

1. Immediate upgrade to XWiki Platform versions 13.10.4 or 14.2 (or later) where the vulnerability is patched. 2. If upgrading is not immediately feasible, implement custom access control checks on all templates used in login, registration, and skin actions to ensure that view rights are verified before document content is loaded or displayed. 3. Restrict the use of non-default templates in sensitive actions to trusted users only. 4. Conduct an audit of existing wiki content to identify and secure sensitive documents and object properties that could be exposed. 5. Monitor access logs for unusual login attempts or template usage patterns that might indicate exploitation attempts. 6. Educate internal users about the risk of exposing sensitive information on wikis and enforce strict content classification and access policies. 7. Consider network-level protections such as IP whitelisting or VPN access for private wikis to reduce exposure. 8. Regularly review and update wiki platform components and dependencies to ensure timely application of security patches.