CVE-2022-36098

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-36098
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36098.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-36098
Aliases
Published
2022-09-08T21:15:08Z
Modified
2024-09-03T04:19:55.369604Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject.

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-commons
Events
Introduced
9c0539e3b1f7a819bfbf4914fc05788308a4f7d0
Fixed
479a47aeb015f634a121f1821642e0cb61dcc3d7
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4032dc896857597efd169966dc9e2752a9fdd459
Fixed
4f290d87a8355e967378a1ed6aee23a06ba162eb

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1