
We found results for “”
CVE-2022-36097
Good to know:

Date: September 8, 2022
XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy "moveStep1.vm" to "webapp/xwiki/templates/moveStep1.vm" and replace vulnerable code with code from the patch.
Language: Java
Severity Score
Related Resources (7)
Severity Score
Weakness Type (CWE)
Top Fix

Upgrade Version
Upgrade to version org.xwiki.platform:xwiki-platform-attachment-ui:14.4-rc-1
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | REQUIRED |
Scope (S): | CHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | LOW |