CVE-2022-41936: 
Java vulnerability analysis and mitigation

The CVE-2022-41936 affects XWiki Platform's modifications REST endpoint. The vulnerability was discovered in July 2022 and disclosed on November 21, 2022. The issue affects XWiki Platform versions 8.1 and later, allowing unauthorized access to information that should be restricted. The vulnerability has been patched in versions 14.6, 14.4.3, and 13.10.8 (XWiki Advisory).

The vulnerability is classified as an Exposure of Private Personal Information to an Unauthorized Actor with a CVSS v3.1 score of 5.3 (Moderate). The attack vector is Network-based with low complexity, requiring no privileges or user interaction. The vulnerability exists in the modifications REST endpoint which failed to properly filter entries according to user access rights (XWiki Advisory).

The vulnerability allows unauthorized users to access hidden information through the modifications REST endpoint, including sensitive data such as comments, page names, and other content that should be restricted. This exposure occurs even when the web interface properly restricts access to the same information (Jira Issue).

Users are advised to upgrade to XWiki versions 14.6+, 14.4.3+, or 13.10.8+. No workarounds are available for older versions, which remain unpatched. The fix implements proper access control checks for the modifications REST endpoint (XWiki Advisory).