Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-36094

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.

Published

2022-09-08T20:15:08.600

Last Modified

2024-11-21T07:12:22.407

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.9 (HIGH)

Weaknesses

Type: Secondary
CWE-79
CWE-80
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 13.10.6	Yes
Application	xwiki	xwiki	< 14.3	Yes

References

https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f287a7e8e Patch, Third Party Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9 Third Party Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-19612 Exploit, Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f287a7e8e Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-19612 Exploit, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)