CVE-2022-36091: 
Java vulnerability analysis and mitigation

A missing authorization vulnerability was discovered in XWiki Platform's web templates component (CVE-2022-36091), affecting versions from 1.3 through versions prior to 13.10.4 and 14.2. The vulnerability was discovered on July 22, 2021, and publicly disclosed on September 8, 2022. The issue affects the suggestion feature in XWiki's template system, specifically within the suggest.vm template file (XWiki Advisory).

The vulnerability is classified with a CVSS v3.1 score of 7.5 (High severity), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is characterized by CWE-359 (Exposure of Private Personal Information) and CWE-862 (Missing Authorization). The vulnerability exists in the suggestion feature where string and list properties of objects could be accessed without proper authorization checks (XWiki Advisory).

The vulnerability allows unauthorized access to sensitive information including private personal information such as email addresses and salted password hashes of registered users. Additionally, sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. The vulnerability could even be exploited on private wikis for string properties (XWiki Advisory).

The vulnerability has been patched in XWiki versions 13.10.4 and 14.2. The fix includes preventing the display of password properties and implementing proper rights checking for other properties. As a workaround, users can replace the template file suggest.vm with a patched version without upgrading or restarting XWiki, unless it has been overridden, in which case the overridden template should be patched (XWiki Advisory).