CVE-2022-41930 is a security vulnerability classified under CWE-862 (Missing Authorization) affecting the XWiki platform, specifically the component org.xwiki.platform:xwiki-platform-user-profile-ui. The vulnerability arises because the user profile management page (XWiki.XWikiUserProfileSheet) lacks proper authorization controls. This flaw allows any user, whether authenticated or unauthenticated, who can access this page to enable or disable any user profile within the wiki. Consequently, a disabled user could re-enable their own account without administrative approval, or an attacker could disable arbitrary user accounts, potentially disrupting legitimate user access and administrative control. The vulnerability affects XWiki platform versions starting from 12.4 up to but not including 13.10.7, and from 14.0.0 up to but not including 14.4.2. The issue has been addressed in versions 13.10.7, 14.4.2, and 14.5RC1. Immediate mitigation is possible by manually editing the XWiki.XWikiUserProfileSheet page to implement the authorization fixes as detailed in the referenced GitHub commit (https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa). There are no known exploits in the wild at this time, but the vulnerability's nature allows for potential misuse by unauthorized users, making it a significant risk if left unpatched. The vulnerability impacts the confidentiality and integrity of user account management and can affect availability by disabling user accounts, but it does not require authentication or user interaction to exploit, increasing its risk profile.

For European organizations using the XWiki platform, this vulnerability poses a risk to user account integrity and operational continuity. Attackers could disable critical user accounts, including administrators, leading to denial of service for legitimate users and potential disruption of collaborative workflows. Additionally, unauthorized re-enablement of disabled accounts could undermine internal security policies and audit controls. Organizations relying on XWiki for knowledge management, documentation, or internal collaboration may face operational delays and increased administrative overhead to restore proper access controls. The lack of authentication requirement for exploitation increases the threat surface, especially for publicly accessible XWiki instances. This could lead to reputational damage, compliance issues (especially under GDPR if user data integrity is compromised), and potential insider threat scenarios if attackers manipulate user states to escalate privileges or bypass controls.

1. Upgrade affected XWiki platform instances to versions 13.10.7, 14.4.2, or later where the vulnerability is patched. 2. If immediate upgrade is not feasible, apply the manual patch by editing the XWiki.XWikiUserProfileSheet page as per the official GitHub commit to enforce proper authorization. 3. Restrict access to the XWiki.XWikiUserProfileSheet page using XWiki's access control mechanisms to limit who can view or modify user profiles, ideally to trusted administrators only. 4. Monitor user account status changes closely through audit logs and set up alerts for unusual enable/disable activities. 5. Implement network-level protections such as IP whitelisting or VPN access for administrative interfaces to reduce exposure. 6. Conduct regular security reviews and penetration testing focused on authorization controls within the XWiki platform. 7. Educate administrators and users about the risk and encourage prompt reporting of suspicious account behavior.