Vulnerability Description
XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 1.0, < 13.10.6 |
Related Weaknesses (CWE)
References
- https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f2PatchThird Party Advisory
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9Third Party Advisory
- https://jira.xwiki.org/browse/XWIKI-19612ExploitVendor Advisory
- https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f2PatchThird Party Advisory
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9Third Party Advisory
- https://jira.xwiki.org/browse/XWIKI-19612ExploitVendor Advisory
FAQ
What is CVE-2022-36094?
CVE-2022-36094 is a vulnerability with a CVSS score of 8.9 (HIGH). XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store Jav...
How severe is CVE-2022-36094?
CVE-2022-36094 has been rated HIGH with a CVSS base score of 8.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-36094?
Check the references section above for vendor advisories and patch information. Affected products include: Xwiki Xwiki.