CVE-2022-36097

XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.

XWiki Platform Attachment UI proporciona una macro para cargar y seleccionar archivos adjuntos fácilmente para la plataforma XWiki, una plataforma wiki genérica. A partir de la versión 14.0-rc-1 y anteriores a 14.4-rc-1, es posible almacenar JavaScript en un nombre de archivo adjunto, que será ejecutado por cualquiera que intente mover el archivo adjunto correspondiente. Este problema ha sido parcheado en XWiki versión 14.4-rc-1. Como mitigación, puede copiarse "moveStep1.vm" en "webapp/xwiki/templates/moveStep1.vm" y reemplazar el código vulnerable con el código del parche

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-15 CVE Reserved
2022-09-08 CVE Published
2024-03-31 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9r9j-57rf-f6vj	2024-08-03
https://jira.xwiki.org/browse/XWIKI-19667	2024-08-03
https://raw.githubusercontent.com/xwiki/xwiki-platform/xwiki-platform-14.0-rc-1/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/resources/templates/attachment/moveStep1.vm	2024-08-03

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/fbc4bfbae4f6ce8109addb281de86a03acdb9277	2022-09-13

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 14.0 < 14.3 Search vendor "Xwiki" for product "Xwiki" and version " >= 14.0 < 14.3"		-		Affected