A security vulnerability (CVE-2022-41930) has been discovered in the XWiki Platform User Profile UI (org.xwiki.platform:xwiki-platform-user-profile-ui) that could allow unauthorized users to enable or disable any user profile within the wiki. This vulnerability might enable a disabled user to re-enable themselves or give attackers the ability to disable any user account, potentially causing severe disruptions to your wiki. The issue has been addressed in XWiki 13.10.7, 14.5RC1, and 14.4.2.

Details

The vulnerability lies in the lack of proper authorization checks in the XWiki Platform User Profile UI. Specifically, any user (logged in or not) with access to the XWiki.XWikiUserProfileSheet page can enable or disable any user profile. This critical insecurity exposes your wiki to attackers, who can either re-activate disabled accounts or disable any user, including administrators.

The issue has been fixed in the following versions: XWiki 13.10.7, 14.5RC1, and 14.4.2.

Code Snippet

The problem can be patched immediately by editing the page XWiki.XWikiUserProfileSheet in the wiki and performing the changes contained in this commit:

https://github.com/xwiki/xwiki-platform/commit/5be1ccadf917bf10899c47723fa451e950271fa

Affected code (before patch)

function() {
  var notifications = new XWiki.widgets.Notification("{$escapetool.javascript($services.localization.render("userprofile.editor.togglingstatus"))}", 'inprogress'); 
  new Ajax.Request(this.href, {

Patched code (after implementing changes)

function() {
  if (this.hasClassName("protected")) {
    return false;
  }
  var notifications = new XWiki.widgets.Notification("{$escapetool.javascript($services.localization.render("userprofile.editor.togglingstatus"))}", 'inprogress');
  new Ajax.Request(this.href, {

Exploit Details

An attacker could exploit this vulnerability by accessing the XWiki.XWikiUserProfileSheet page and then sending a specially crafted request to enable or disable any user account. This could cause severe consequences, including unauthorized access and control of your wiki, disabled administrators, data loss, or data tampering.

Original References

1. XWiki Security Advisory: https://jira.xwiki.org/browse/XWIKI-19352
2. National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2022-41930
3. GitHub Commit: https://github.com/xwiki/xwiki-platform/commit/5be1ccadf917bf10899c47723fa451e950271fa

Conclusion

To ensure the security of your XWiki instance, it is crucial to immediately apply the patch for the CVE-2022-41930 vulnerability, either by upgrading to the latest fixed version (XWiki 13.10.7, 14.5RC1, or 14.4.2) or manually implementing the changes to the XWiki.XWikiUserProfileSheet page using the provided code snippet from the GitHub commit. By taking swift action, you will protect your wiki from potential attacks that could lead to unauthorized access, data loss, and other serious consequences.

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 11/30/2022 16:50:00 UTC