8.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36094

GHSA ID

GHSA-mxf2-4r22-5hq9

EPSS Score

0.97636%

CWE

CWE-79

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36094

CVE-2022-36094: XWiki Platform Web Parent POM vulnerable to XSS in the attachment history

Impact

It's possible to store a JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name.

For example, attachment a file with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.

Patches

This issue has been patched in XWiki 13.10.6 and 14.3RC1.

Workarounds

It is possible to replace viewattachrev.vm, the entry point for this attack, by a patched version from the patch without updating XWiki.

References

https://jira.xwiki.org/browse/XWIKI-19612

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

8.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36094

GHSA ID

GHSA-mxf2-4r22-5hq9

EPSS Score

0.97636%

CWE

CWE-79

Published

9/16/2022

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-web	maven	>= 1.0, < 13.10.6	13.10.6
org.xwiki.platform:xwiki-platform-web	maven	>= 14.0, < 14.3-rc-1	14.3-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing HTML escaping in two locations in viewattachrev.vm: 1) In the page title localization string interpolation, and 2) In the <img> alt attribute. The commit patch adds $escapetool.xml() to sanitize the filename input. As Velocity templates control HTML generation, unescaped user-controlled input (attachment filenames) in these template variables directly enables XSS. The CWE mapping (CWE-79/CWE-80) and attack example confirm this is an output encoding failure in template rendering.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It's possi*l* to stor* * J*v*S*ript w*i** will ** *x**ut** *y *nyon* vi*win* t** *istory o* *n *tt***m*nt *ont*inin* j*v*s*ript in its n*m*. *or *x*mpl*, *tt***m*nt * *il* wit* n*m* `><im* sr*=* on*rror=*l*rt(*)>.jp*` will *x**ut* t** *l

Reasoning

T** vuln*r**ility st*ms *rom missin* *TML *s**pin* in two lo**tions in vi*w*tt***r*v.vm: *) In t** p*** titl* lo**liz*tion strin* int*rpol*tion, *n* *) In t** <im*> *lt *ttri*ut*. T** *ommit p*t** ***s $*s**p*tool.xml() to s*nitiz* t** *il*n*m* input

8.9

Basic Information

Concerned about an active attack path?

CVE-2022-36094: XWiki Platform Web Parent POM vulnerable to XSS in the attachment history

Impact

Patches

Workarounds

References

For more information

8.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI