GHSA-ph5x-h23x-7q5q

Source

https://github.com/advisories/GHSA-ph5x-h23x-7q5q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-ph5x-h23x-7q5q/GHSA-ph5x-h23x-7q5q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ph5x-h23x-7q5q

Aliases

CVE-2022-29252

Published

2022-05-25T22:41:10Z

Modified

2023-11-08T04:09:12.353408Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Cross-site Scripting in wiki manager join wiki page

Details

Impact

We found a possible XSS vector in the WikiManager.JoinWiki wiki page related to the "requestJoin" field.

Patches

The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.

Workarounds

The easiest workaround is to edit the wiki page WikiManager.JoinWiki (with wiki editor) and change the line

<input type='hidden' name='requestJoin' value="$!request.requestJoin"/>

into

<input type='hidden' name='requestJoin' value="$escapetool.xml($!request.requestJoin)">

References

https://jira.xwiki.org/browse/XWIKI-19292
https://github.com/xwiki/xwiki-platform/commit/27f839133d41877e538d35fa88274b50a1c00b9b

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at security mailing list

Database specific

{
    "nvd_published_at": "2022-05-25T21:15:00Z",
    "github_reviewed_at": "2022-05-25T22:41:10Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ]
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.10.11

Maven / org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.4.7

Maven / org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki

Package

Name: org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-wiki-ui-mainwiki

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.5.0

Fixed

13.10.3