Any user with SCRIPT right (EDIT right before XWiki 7.4) can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString:

```
$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")
```

### Patches

It has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1.

### Workarounds

The only workaround is to give SCRIPT right only to trusted users.

### References

https://jira.xwiki.org/browse/XWIKI-18870

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki](https://jira.xwiki.org)
* Email us at [our security mailing list](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 13.6-rc-1 (fixed in 13.7-rc-1)

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 13.0.0 (fixed in 13.4.3)

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 0 (fixed in 12.10.9)

Related CVEs

CVE-2022-23621

Key Information

GHSA ID

GHSA-2jhm-qp48-hv5j

Published

February 9, 2022 9:56 PM

Last Modified

February 9, 2022 9:56 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-oldcore

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.