GHSA-vmhh-xh3g-j992

Source

https://github.com/advisories/GHSA-vmhh-xh3g-j992

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vmhh-xh3g-j992/GHSA-vmhh-xh3g-j992.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vmhh-xh3g-j992

Aliases

CVE-2022-29251

Published

2022-05-25T22:40:57Z

Modified

2023-11-08T04:09:12.290389Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Cross-site Scripting in the Flamingo theme manager

Details

Impact

We found a possible XSS vector in the FlamingoThemesCode.WebHomeSheet wiki page related to the "newThemeName" form field.

Patches

The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.

Workarounds

The easiest workaround is to edit the wiki page FlamingoThemesCode.WebHomeSheet (with wiki editor) and change the line

<input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" />

into

<input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" />

References

https://jira.xwiki.org/browse/XWIKI-19294
https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at security mailing list

Database specific

{
    "nvd_published_at": "2022-05-25T21:15:00Z",
    "github_reviewed_at": "2022-05-25T22:40:57Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-116",
        "CWE-79",
        "CWE-80"
    ]
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-theme-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

12.10.11

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-theme-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.4.7

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-theme-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.5.0

Fixed

13.10.3