CVE-2022-36098

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-36098
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36098.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-36098
Aliases
Published
2022-09-08T20:50:11Z
Modified
2025-10-14T14:34:46Z
Severity
  • 8.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
Summary
XWiki Platform Mentions UI vulnerable to Cross-site Scripting
Details

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject.

References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events