How severe is CVE-2022-23621?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.9 out of 10.

What type of vulnerability is CVE-2022-23621?

This is classified as CWE-862, which is a common weakness in software security.

CVE-2022-23621

MEDIUM Year: 2022

CVSS v3 Score

4.9

Medium

CVSS v2 Score

4.0

Medium

Weakness Type

CWE-862

View all →

Vulnerability Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right.

CVE-2021-32503

MEDIUM

CVSS:4.9(Medium)

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch fur...

CWE-8622021

CVE-2022-41929

MEDIUM

CVSS:4.9(Medium)

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This o...

CWE-8622022

CVE-2024-22272

MEDIUM

CVSS:4.9(Medium)

VMware Cloud Director contains an Improper Privilege Management vulnerability. An authenticated tenant administrator for a given organization within VMware Cloud Director may be able to accidentally d...

CWE-8622024

CVE-2025-30861

MEDIUM

CVSS:4.9(Medium)

Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Res...

CWE-8622025

CVE-2025-47465

MEDIUM

CVSS:4.9(Medium)

Missing Authorization vulnerability in CreativeThemes Blocksy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Blocksy: from n/a through 2.0.97.

CWE-8622025

CVE-2022-20394

MEDIUM

CVSS:5.0(Medium)

In getInputMethodWindowVisibleHeight of InputMethodManagerService.java, there is a possible way to determine when another app is showing an IME due to a missing permission check. This could lead to lo...

CWE-8622022

CVE-2022-23621

Vulnerability Description

Related Vulnerabilities

CVE-2021-32503

CVE-2022-41929

CVE-2024-22272

CVE-2025-30861

CVE-2025-47465

CVE-2022-20394