How severe is CVE-2022-36093?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.1 out of 10.

What type of vulnerability is CVE-2022-36093?

This is classified as CWE-287, which is a common weakness in software security.

CVE-2022-36093 - HIGH Severity | CVSS 7.1

Vulnerability Description

XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. By passing a template of the distribution wizard to the xpart template, user accounts can be created even when user registration is disabled. This also circumvents any email verification. Before versions 14.2 and 13.10.4, this can also be exploited on a private wiki, thus potentially giving the attacker access to the wiki. Depending on the configured default rights of users, this could also give attackers write access to an otherwise read-only public wiki. Users can also be created when an external authentication system like LDAP is configured, but authentication fails unless the authentication system supports a bypass/local accounts are enabled in addition to the external authentication system. This issue has been patched in XWiki 13.10.5 and 14.3RC1. As a workaround, one may replace `xpart.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.

Related Vulnerabilities

CVE-2013-5116

HIGH

CVSS:7.1(High)

Evernote prior to 5.5.1 has insecure password change

CWE-2872013

CVE-2017-12778

HIGH

CVSS:7.1(High)

The UI Lock feature in qBittorrent version 3.3.15 is vulnerable to Authentication Bypass, which allows Attack to gain unauthorized access to qBittorrent functions by tampering the affected flag value ...

CWE-2872017

CVE-2018-1738

HIGH

CVSS:7.1(High)

IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0 could allow an authenticated user to obtain highly sensitive information or jeopardize system integrity due to improper authentication mechanisms. IBM ...

CWE-2872018

CVE-2018-4064

HIGH

CVSS:7.1(High)

An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a unveri...

CWE-2872018

CVE-2020-10709

HIGH

CVSS:7.1(High)

A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a ...

CWE-2872020

CVE-2021-20593

HIGH

CVSS:7.1(High)

Incorrect Implementation of Authentication Algorithm in Mitsubishi Electric Air Conditioning System/Centralized Controllers (G-50A Ver.2.50 to Ver. 3.35, GB-50A Ver.2.50 to Ver. 3.35, AG-150A-A Ver.3....

CWE-2872021