Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-qpp2-2mcp-2wm5

GitHub Security Advisory

Unauthenticated user can list hidden document from multiple velocity templates in XWiki

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents.

### Patches
The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1.

### Workarounds
There is no known workaround for this problem.

### References
https://jira.xwiki.org/browse/XWIKI-16544

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki](https://jira.xwiki.org)
* Email us at [our security mailing list](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-web
Affected versions: 0 (fixed in 12.10.11)
Maven org.xwiki.platform:xwiki-platform-web
Affected versions: 13.0.0 (fixed in 13.4.4)
Maven org.xwiki.platform:xwiki-platform-web
Affected versions: 13.5.0 (fixed in 13.9)

Related CVEs

CVE-2022-24820

Key Information

GHSA ID
GHSA-qpp2-2mcp-2wm5
Published
April 8, 2022 10:00 PM
Last Modified
April 19, 2022 6:26 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-web
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 24, 2025 6:07 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.