Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-36096

The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the fix commit.

Published

2022-09-08T21:15:07.950

Last Modified

2024-11-21T07:12:22.710

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.9 (HIGH)

Weaknesses

Type: Secondary
CWE-79
CWE-80
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 13.10.6	Yes
Application	xwiki	xwiki	< 14.3	Yes
Application	xwiki	xwiki	2.2	Yes

References

https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745 Patch, Third Party Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gjmq-x5x7-wc36 Third Party Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-19613 Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gjmq-x5x7-wc36 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-19613 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)