CVE-2022-29251: Cross-site Scripting in the Flamingo theme manager
7.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.82109%
CWE
Published
5/25/2022
Updated
1/27/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.xwiki.platform:xwiki-platform-flamingo-theme-ui | maven | < 12.10.11 | 12.10.11 |
org.xwiki.platform:xwiki-platform-flamingo-theme-ui | maven | >= 13.0.0, < 13.4.7 | 13.4.7 |
org.xwiki.platform:xwiki-platform-flamingo-theme-ui | maven | >= 13.5.0, < 13.10.3 | 13.10.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from a lack of proper output encoding in the template file FlamingoThemesCode/WebHomeSheet.xml
, specifically in the unescaped insertion of the $request.newThemeName
parameter into an HTML input field. This is a template-level issue rather than a specific function in the codebase. The fix involves adding the escaping function $escapetool.xml()
, but the vulnerability itself is not tied to a named function in the code (e.g., a Java method or API). Instead, it is caused by improper handling of user input in the view layer (Velocity template). No functions with clear namespaces or file paths are directly implicated beyond the template's markup, which does not qualify as a 'function' in the traditional programming sense.