CVE-2022-29258

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-29258
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29258.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-29258
Aliases
Published
2022-05-31T16:45:11Z
Modified
2026-04-10T04:47:10.608691Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Cross-site Scripting in Filter Stream Converter Application in XWiki Platform
Details

XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3, XWiki Platform Filter UI contains a possible cross-site scripting vector in the Filter.FilterStreamDescriptorForm wiki page related to pretty much all the form fields printed in the home page of the application. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest workaround is to edit the wiki page Filter.FilterStreamDescriptorForm (with wiki editor) according to the instructions in the GitHub Security Advisory.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-116",
        "CWE-80"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29258.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
4d2a2d9e9f29a4ffa7b6e230759f1e2fb21fa483
Last affected
0e3d1c821114e78b898c869275beda66486a663e
Database specific 
{
    "versions": [
        {
            "introduced": "5.4.4"
        },
        {
            "last_affected": "6.0-milestone-2"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0e3d1c821114e78b898c869275beda66486a663e
Fixed
b72dfa77858847bb8e11b735cf12385520fc2270
Database specific 
{
    "versions": [
        {
            "introduced": "6.0-milestone-2"
        },
        {
            "fixed": "12.10.11"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7a8fb3b7f87153bdcbe3d336be3a565b7f77571b
Fixed
63d1d84188e8a282d11471c9fd4f86fdc90c62b6
Database specific 
{
    "versions": [
        {
            "introduced": "13.0.0"
        },
        {
            "fixed": "13.4.7"
        },
        {
            "introduced": "13.5.0"
        },
        {
            "fixed": "13.10.3"
        }
    ]
}

Affected versions

xwiki-platform-13.*
xwiki-platform-13.10
xwiki-platform-13.10-rc-1
xwiki-platform-13.10.1
xwiki-platform-13.10.2
xwiki-platform-13.4
xwiki-platform-13.4-rc-1
xwiki-platform-13.4.1
xwiki-platform-13.4.2
xwiki-platform-13.4.3
xwiki-platform-13.4.4
xwiki-platform-13.4.5
xwiki-platform-13.4.6
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29258.json"