Miggo Logo

CVE-2022-29251: Cross-site Scripting in the Flamingo theme manager

7.4

CVSS Score
3.1

Basic Information

EPSS Score
0.82109%
Published
5/25/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.platform:xwiki-platform-flamingo-theme-uimaven< 12.10.1112.10.11
org.xwiki.platform:xwiki-platform-flamingo-theme-uimaven>= 13.0.0, < 13.4.713.4.7
org.xwiki.platform:xwiki-platform-flamingo-theme-uimaven>= 13.5.0, < 13.10.313.10.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a lack of proper output encoding in the template file FlamingoThemesCode/WebHomeSheet.xml, specifically in the unescaped insertion of the $request.newThemeName parameter into an HTML input field. This is a template-level issue rather than a specific function in the codebase. The fix involves adding the escaping function $escapetool.xml(), but the vulnerability itself is not tied to a named function in the code (e.g., a Java method or API). Instead, it is caused by improper handling of user input in the view layer (Velocity template). No functions with clear namespaces or file paths are directly implicated beyond the template's markup, which does not qualify as a 'function' in the traditional programming sense.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W* *oun* * possi*l* XSS v**tor in t** `*l*min*oT**m*s*o**.W***om*S***t` wiki p*** r*l*t** to t** "n*wT**m*N*m*" *orm *i*l*. ### P*t***s T** issu* is p*t**** in v*rsions **.**.**, **.*-r*-*, **.*.*, **.**.*. ### Work*roun*s T** **si*st w

Reasoning

T** vuln*r**ility st*ms *rom * l**k o* prop*r output *n*o*in* in t** t*mpl*t* *il* `*l*min*oT**m*s*o**/W***om*S***t.xml`, sp**i*i**lly in t** un*s**p** ins*rtion o* t** `$r*qu*st.n*wT**m*N*m*` p*r*m*t*r into *n *TML input *i*l*. T*is is * t*mpl*t*-l*