CVE-2022-41930: 
Java vulnerability analysis and mitigation

CVE-2022-41930 is a high-severity vulnerability affecting XWiki Platform's user profile UI component (org.xwiki.platform:xwiki-platform-user-profile-ui). The vulnerability was discovered in June 2022 and affects versions 12.4 and above. It allows any user with view access to enable or disable any user profile in the system, including the ability for disabled users to re-enable themselves (GitHub Advisory).

The vulnerability stems from a missing authorization check in the XWiki.XWikiUserProfileSheet page. When accessing the endpoint with specific parameters (action=disable/enable, userId, and CSRF token), any user could modify the enabled/disabled status of any user account. The vulnerability has a CVSS v3.1 score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The vulnerability has two major impacts: First, it enables attackers to sabotage the wiki by disabling all user accounts. Second, it allows disabled users to bypass administrative controls by re-enabling their own accounts. This particularly affects wikis that aren't private, though the impact on private wikis wasn't fully determined (XWIKI Jira).

The vulnerability has been patched in XWiki versions 14.5RC1, 14.4.2, and 13.10.7. For immediate mitigation before updating, administrators can edit the XWiki.XWikiUserProfileSheet page and implement the changes contained in commit 5be1cc0, which adds proper authorization checks (GitHub Advisory).