CVE-2022-36095

XWiki Cross-Site Request Forgery (CSRF) for actions on tags

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the `documentTags.vm` template in one's filesystem, to apply the changes exposed there.

XWiki Platform es una plataforma wiki genérica. En versiones anteriores a 13.10.5 y 14.3, era posible llevar a cabo un ataque de tipo Cross-Site Request Forgery (CSRF) para agregar o eliminar etiquetas en las páginas de XWiki. El problema ha sido parcheado en XWiki versiones 13.10.5 y 14.3. Como mitigación, uno puede modificar localmente la plantilla "documentTags.vm" en el sistema de archivos de uno, para aplicar los cambios expuestos allí

*Credits: N/A

CVSS Scores

NISTv3.1 4.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-08 CVE Published
2024-03-31 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-352: Cross-Site Request Forgery (CSRF)

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae	2022-09-15
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhj	2022-09-15

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-19550	2022-09-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 2.3 < 13.10.6 Search vendor "Xwiki" for product "Xwiki" and version " >= 2.3 < 13.10.6"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 14.0 < 14.3 Search vendor "Xwiki" for product "Xwiki" and version " >= 14.0 < 14.3"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				2.0 Search vendor "Xwiki" for product "Xwiki" and version "2.0"		milestone2		Affected