CVE-2022-23617: 
Java vulnerability analysis and mitigation

A vulnerability in XWiki Platform (CVE-2022-23617) allows users with edit rights to access content of pages they don't have permission to view by using them as templates for new pages. The vulnerability was discovered in March 2021 and affects XWiki Platform versions before 12.10.6 and 13.2-rc-1. The issue was patched in versions 12.10.6 and 13.2-rc-1 (XWiki Advisory).

The vulnerability stems from improper access control when handling template documents. When creating a new page, users could specify any existing page as a template using the template parameter in the URL, even if they didn't have view rights to that page. The system would then copy the content of the restricted page into the new page creation form, effectively bypassing the access controls. The vulnerability has a CVSS v3.1 base score of 6.5 (Moderate) with vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (XWiki Advisory).

The vulnerability allows any user with edit rights to view the content of restricted pages by using them as templates for new pages. This results in unauthorized access to potentially sensitive information that was meant to be restricted to specific users or groups. Even though the resulting new page would not be visible to the user after saving, the content would be exposed during the creation process (XWiki Issue).

The vulnerability has been fixed in XWiki Platform versions 12.10.6 and 13.2-rc-1. The patch implements proper access control checks before allowing a page to be used as a template. There are no workarounds available besides upgrading to a patched version (XWiki Advisory).