CVE-2022-41929

MEDIUM Year: 2022
CVSS v3 Score
4.9
Medium
Weakness Type
CWE-862
View all →

Vulnerability Description

org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.

Related Vulnerabilities

CVE-2021-32503

MEDIUM
CVSS:4.9(Medium)

Unauthenticated users can access sensitive web URLs through GET request, which should be restricted to maintenance users only. A malicious attacker could use this sensitive information’s to launch fur...

CWE-8622021

CVE-2022-23621

MEDIUM
CVSS:4.9(Medium)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for...

CWE-8622022

CVE-2024-22272

MEDIUM
CVSS:4.9(Medium)

VMware Cloud Director contains an Improper Privilege Management vulnerability. An authenticated tenant administrator for a given organization within VMware Cloud Director may be able to accidentally d...

CWE-8622024

CVE-2025-30861

MEDIUM
CVSS:4.9(Medium)

Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Five Star Restaurant Res...

CWE-8622025

CVE-2025-47465

MEDIUM
CVSS:4.9(Medium)

Missing Authorization vulnerability in CreativeThemes Blocksy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Blocksy: from n/a through 2.0.97.

CWE-8622025

CVE-2022-20394

MEDIUM
CVSS:5.0(Medium)

In getInputMethodWindowVisibleHeight of InputMethodManagerService.java, there is a possible way to determine when another app is showing an IME due to a missing permission check. This could lead to lo...

CWE-8622022