Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-p5v9-g8w8-5q4v

GitHub Security Advisory

Missing Authorization to enable or disable users in org.xwiki.platform:xwiki-platform-user-profile-ui

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

### Impact

Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki.

### Patches

The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2.

### Workarounds

The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa.

### References

* https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa
* https://jira.xwiki.org/browse/XWIKI-19792

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwiki.org)
* Email us at [security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-user-profile-ui
Affected versions: 12.4 (fixed in 13.10.7)
Maven org.xwiki.platform:xwiki-platform-user-profile-ui
Affected versions: 14.0.0 (fixed in 14.4.2)

Related CVEs

CVE-2022-41930

Key Information

GHSA ID
GHSA-p5v9-g8w8-5q4v
Published
November 21, 2022 10:35 PM
Last Modified
January 22, 2025 5:43 PM
CVSS Score
9.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-user-profile-ui
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 28, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.