1. Home
  2. Vulnerabilities
  3. CVE-2022-36094

CVE-2022-36094

CVSS v3.1 9 (Critical)
90% Progress
EPSS 0.37 % (73th)
0.37% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace viewattachrev.vm, the entry point for this attack, by a patched version from the patch without updating XWiki.

Weaknesses
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2022-09-08 20:15:08
(2 years ago)
Updated Date
2022-09-14 20:30:16
(2 years ago)

Affected Products

Xwiki

Configuration #1

    CPE23 From Up To
  Xwiki from 1.0 version and prior 13.10.6 version cpe:2.3:a:xwiki:xwiki >= 1.0 < 13.10.6
  Xwiki from 14.0 version and prior 14.3 version cpe:2.3:a:xwiki:xwiki >= 14.0 < 14.3