CVE-2022-29251

Cross-site Scripting in the Flamingo theme manager

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.

XWiki Platform Flamingo Theme UI es una herramienta que permite personalizar y previsualizar cualquier skin basado en Flamingo. A partir de las versiones 6.2.4 y 6.3-rc-1, se presenta un posible vector de cross-site scripting en la página wiki "FlamingoThemesCode.WebHomeSheet" relacionado con el campo de formulario "newThemeName". El problema está parcheado en versiones 12.10.11, 14.0-rc-1, 13.4.7 y 13.10.3. La mitigación más fácil disponible es editar la página wiki "FlamingoThemesCode.WebHomeSheet" (con el editor wiki) de acuerdo con la sugerencia proporcionada en el aviso de seguridad de GitHub

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-04-13 CVE Reserved
2022-05-25 CVE Published
2023-12-16 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-116: Improper Encoding or Escaping of Output

CAPEC

References (3)

URL	Tag	Source
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vmhh-xh3g-j992	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437	2022-06-07

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-19294	2022-06-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 6.2.4 < 12.10.11 Search vendor "Xwiki" for product "Xwiki" and version " >= 6.2.4 < 12.10.11"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 13.0 < 13.4.7 Search vendor "Xwiki" for product "Xwiki" and version " >= 13.0 < 13.4.7"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 13.5 < 13.10.3 Search vendor "Xwiki" for product "Xwiki" and version " >= 13.5 < 13.10.3"		-		Affected