CVE-2022-24819 — Unauthenticated user can retrieve the list of users through uorgsuggest.vm

Description

A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.

How to fix CVE-2022-24819

To remediate CVE-2022-24819, upgrade the affected package to a fixed version below.

—upgrade to 12.10.11 or later

Is CVE-2022-24819 being exploited?

Low — EPSS is 4.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 12.10.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24819
PATCHgithub.com/xwiki/xwiki-platform
WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf
WEBjira.xwiki.org/browse/XWIKI-18850