How severe is CVE-2022-36090?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.1 out of 10.

What type of vulnerability is CVE-2022-36090?

This is classified as CWE-285, which is a common weakness in software security.

CVE-2022-36090 - HIGH Severity | CVSS 8.1

Vulnerability Description

XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. Now it's more critical for versions 11.3-rc-1 and later since the maintainers provided the capability to disable user without deleting them and encouraged using that feature. XWiki 14.3-rc-1 and XWiki 13.10.5 contain a patch. There is no workaround for this other than upgrading XWiki.

Related Vulnerabilities

CVE-2016-10859

HIGH

CVSS:8.1(High)

cPanel before 11.54.0.0 allows unauthorized password changes via Webmail API commands (SEC-65).

CWE-2852016

CVE-2016-7143

HIGH

CVSS:8.1(High)

The m_authenticate function in modules/m_sasl.c in Charybdis before 3.5.3 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE p...

CWE-2852016

CVE-2018-1082

HIGH

CVSS:8.1(High)

A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user account using OAuth2 authentication method was once confirmed but later suspended, the user could still login to the site.

CWE-2852018

CVE-2018-10861

HIGH

CVSS:8.1(High)

A flaw was found in the way ceph mon handles user requests. Any authenticated ceph user having read access to ceph can delete, create ceph storage pools and corrupt snapshot images. Ceph branches mast...

CWE-2852018

CVE-2018-14637

HIGH

CVSS:8.1(High)

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An attacker can exploit this vulnerability to perform a replay attack.

CWE-2852018

CVE-2018-15465

HIGH

CVSS:8.1(High)

A vulnerability in the authorization subsystem of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, but unprivileged (levels 0 and 1), remote attacker to perform privilege...

CWE-2852018