1. Home
  2. Vulnerabilities
  3. CVE-2022-36096

CVE-2022-36096

CVSS v3.1 9 (Critical)
90% Progress
EPSS 0.22 % (61th)
0.22% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page XWiki.DeletedAttachments with the object editor, open the JavaScriptExtension object and apply on the content the changes that can be found on the fix commit.

Weaknesses
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2022-09-08 21:15:07
(2 years ago)
Updated Date
2022-09-13 19:30:02
(2 years ago)

Affected Products

Xwiki

Configuration #1

    CPE23 From Up To
  Xwiki from 2.3 version and prior 13.10.6 version cpe:2.3:a:xwiki:xwiki >= 2.3 < 13.10.6
  Xwiki from 14.0 version and prior 14.3 version cpe:2.3:a:xwiki:xwiki >= 14.0 < 14.3
  Xwiki 2.2 Milestone1 cpe:2.3:a:xwiki:xwiki:2.2:milestone1