Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-f9gd-r31y-dycc
Summary
XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
### Impact
All rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and properties of objects (class and property name must be known, though). This is also exploitable on [private wikis](https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Access%20Rights/#HPrivateWiki).

### Patches
This has been patched in versions 14.2 and 13.10.4 by properly checking view rights before loading documents and disallowing non-default templates in the login, registration and skin action.

### Workarounds
It would be possible to protect all templates individually by adding code to check access rights first, but due to the number of templates and the fact that some of them need to be used without view rights, this seems impractical.

### References
* https://jira.xwiki.org/browse/XWIKI-19549
* https://jira.xwiki.org/browse/XWIKI-18602

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [security mailing-list](mailto:security@xwiki.com)
Aliases
0
alias CVE-2022-36092
1
alias GHSA-8h89-34w2-jpfm
Fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@13.10.4
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@13.10.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4mj5-repk-zyg2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@13.10.4
1
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.2
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4mj5-repk-zyg2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.2
Affected_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.0
purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cred-gs3x-1yc5
1
vulnerability VCID-f9gd-r31y-dycc
2
vulnerability VCID-mgyt-2kx1-9yfz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.0
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-36092
reference_id
reference_type
scores
0
value 0.00294
scoring_system epss
scoring_elements 0.52738
published_at 2026-04-24T12:55:00Z
1
value 0.00294
scoring_system epss
scoring_elements 0.52705
published_at 2026-04-02T12:55:00Z
2
value 0.00294
scoring_system epss
scoring_elements 0.52732
published_at 2026-04-04T12:55:00Z
3
value 0.00294
scoring_system epss
scoring_elements 0.52697
published_at 2026-04-07T12:55:00Z
4
value 0.00294
scoring_system epss
scoring_elements 0.52749
published_at 2026-04-08T12:55:00Z
5
value 0.00294
scoring_system epss
scoring_elements 0.52743
published_at 2026-04-09T12:55:00Z
6
value 0.00294
scoring_system epss
scoring_elements 0.52794
published_at 2026-04-11T12:55:00Z
7
value 0.00294
scoring_system epss
scoring_elements 0.52777
published_at 2026-04-12T12:55:00Z
8
value 0.00294
scoring_system epss
scoring_elements 0.52761
published_at 2026-04-13T12:55:00Z
9
value 0.00294
scoring_system epss
scoring_elements 0.52799
published_at 2026-04-16T12:55:00Z
10
value 0.00294
scoring_system epss
scoring_elements 0.52806
published_at 2026-04-18T12:55:00Z
11
value 0.00294
scoring_system epss
scoring_elements 0.5279
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-36092
1
reference_url https://github.com/xwiki/xwiki-platform
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/xwiki/xwiki-platform
2
reference_url https://github.com/xwiki/xwiki-platform/commit/71a6d0bb6f8ab718fcfaae0e9b8c16c2d69cd4bb
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:44Z/
url https://github.com/xwiki/xwiki-platform/commit/71a6d0bb6f8ab718fcfaae0e9b8c16c2d69cd4bb
3
reference_url https://github.com/xwiki/xwiki-platform/commit/9b7057d57a941592d763992d4299456300918208
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:44Z/
url https://github.com/xwiki/xwiki-platform/commit/9b7057d57a941592d763992d4299456300918208
4
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:44Z/
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm
5
reference_url https://jira.xwiki.org/browse/XWIKI-18602
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:44Z/
url https://jira.xwiki.org/browse/XWIKI-18602
6
reference_url https://jira.xwiki.org/browse/XWIKI-19549
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:44Z/
url https://jira.xwiki.org/browse/XWIKI-19549
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-36092
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-36092
8
reference_url https://github.com/advisories/GHSA-8h89-34w2-jpfm
reference_id GHSA-8h89-34w2-jpfm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8h89-34w2-jpfm
Weaknesses
0
cwe_id 287
name Improper Authentication
description When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
1
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-f9gd-r31y-dycc