CVE-2022-41929 is a security vulnerability identified in the XWiki platform, specifically in the module org.xwiki.platform:xwiki-platform-oldcore. The vulnerability arises from missing authorization checks in the User#setDisabledStatus method. This method controls the ability to enable or disable user accounts within the XWiki platform. Normally, this operation is restricted to users with administrative privileges to prevent unauthorized account management. However, due to the missing authorization, any user with Script rights— a lower privilege level intended for running scripts but not for administrative actions—can exploit this flaw to enable or disable user accounts arbitrarily. This can lead to unauthorized account disabling, effectively locking out legitimate users, or enabling accounts that should remain disabled, potentially facilitating unauthorized access. The affected versions include XWiki platform releases from 11.7RC1 up to but not including 13.10.7, and from 14.0.0 up to but not including 14.4.2. The issue has been addressed and patched in versions 13.10.7, 14.4.2, and 14.5RC1. No known exploits have been reported in the wild to date. The vulnerability is classified under CWE-862 (Missing Authorization), indicating a failure to enforce proper access control. This flaw could be exploited by an attacker who has gained Script rights, which may be obtained through other vulnerabilities or misconfigurations, to escalate their control over user account management within the platform.

For European organizations using the XWiki platform within the affected versions, this vulnerability poses a significant risk to user account integrity and operational continuity. Unauthorized disabling of user accounts could disrupt business processes, especially if critical administrative or service accounts are targeted, leading to denial of service for legitimate users. Conversely, unauthorized enabling of disabled accounts could allow previously blocked or compromised accounts to regain access, increasing the risk of insider threats or persistent unauthorized access. Given that XWiki is often used for collaborative documentation and knowledge management, such disruptions could impact information availability and integrity. The medium severity rating reflects that while the vulnerability requires the attacker to have Script rights (a non-administrative privilege), the potential for privilege escalation and disruption is notable. European organizations in sectors relying heavily on collaborative platforms—such as government agencies, educational institutions, and enterprises—may face operational risks and potential compliance issues if unauthorized account manipulations occur. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially if attackers combine this vulnerability with other weaknesses to gain Script rights.

1. Immediate upgrade to patched versions of XWiki platform: specifically, versions 13.10.7, 14.4.2, or later. This is the most effective mitigation to eliminate the vulnerability. 2. Restrict Script rights assignment strictly: audit and minimize the number of users with Script rights to reduce the attack surface. Ensure that only trusted users or service accounts have these privileges. 3. Implement monitoring and alerting on user account status changes: configure logging to detect any enable/disable actions on user accounts, especially those performed by users with Script rights. 4. Conduct regular access reviews: verify that user privileges, particularly Script rights, are appropriate and revoke unnecessary permissions. 5. Harden the environment hosting XWiki: apply network segmentation and access controls to limit exposure of the platform to only trusted networks and users. 6. Employ multi-factor authentication (MFA) for administrative and privileged accounts to reduce the risk of credential compromise leading to privilege escalation. 7. Review and apply security best practices for XWiki configuration, including disabling or restricting scripting capabilities if not required. 8. Prepare incident response plans to quickly address any unauthorized account management activities detected.