Home > Vulnerability Database > CVE-2022-36094

Mend.io Vulnerability Database

CVE-2022-36094

Date: September 8, 2022

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace "viewattachrev.vm", the entry point for this attack, by a patched version from the patch without updating XWiki.

Language: Java

Severity Score

8.9

Related Resources (6)

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9

Url: https://github.com/xwiki/xwiki-platform

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-36094

Url: https://jira.xwiki.org/browse/XWIKI-19612

Url: https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f287a7e8e

Url: https://www.mend.io/vulnerability-database/CVE-2022-36094

Severity Score

8.9

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

CVSS v3.1

Base Score:	8.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-36094

Date: September 8, 2022

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?