CVE-2022-36098

Exploit

EPSS 43.65%
Veröffentlicht 08.09.2022 21:15:08
Zuletzt bearbeitet 21.11.2024 07:12:23
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Xwiki ≫ Xwiki Version >= 12.5 < 13.10.6

Xwiki ≫ Xwiki Version >= 14.0 < 14.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	43.65%	0.974

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9	2.3	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
security-advisories@github.com	8.9	2.3	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/xwiki/xwiki-platform/commit/4032dc896857597efd169966dc9e2752a9fdd459#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610

Patch

Third Party Advisory

https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162eb

Patch

Third Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9v

Patch

Third Party Advisory

Exploit

https://jira.xwiki.org/browse/XWIKI-19752

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-36098

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-36098

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-36098

EUVD