Home > Vulnerability Database > CVE-2022-36094

Mend.io Vulnerability Database

CVE-2022-36094

Good to know:

Date: September 8, 2022

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.

Language: Java

Severity Score

9.0

Related Resources (5)

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-36094

Url: https://jira.xwiki.org/browse/XWIKI-19612

Url: https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f287a7e8e

Url: https://www.mend.io/vulnerability-database/CVE-2022-36094

Severity Score

9.0

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-index-ui:13.10.6,14.3

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2022-36094

Good to know:

Date: September 8, 2022

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?