Moderate severityNVD Advisory· Published Nov 23, 2022· Updated Apr 22, 2025
Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
CVE-2022-41929
Description
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 11.7RC1, < 13.10.7 | 13.10.7 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 14.0.0, < 14.4.2 | 14.4.2 |
Affected products
1- Range: >= 11.7RC1, < 13.10.7
Patches
10b732f2ef022XWIKI-19804: Bulletproof user API
1 file changed · +3 −1
xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/api/User.java+3 −1 modified@@ -92,7 +92,9 @@ public XWikiUser getUser() */ public void setDisabledStatus(boolean disabledStatus) { - this.user.setDisabled(disabledStatus, getXWikiContext()); + if (hasAdminRights()) { + this.user.setDisabled(disabledStatus, getXWikiContext()); + } } /**
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2gj2-vj98-j2qqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41929ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cdghsaWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qqghsaWEB
- jira.xwiki.org/browse/XWIKI-19804ghsaWEB
News mentions
0No linked articles in our index yet.