GHSA-xjfw-5vv5-vjq2

Source

https://github.com/advisories/GHSA-xjfw-5vv5-vjq2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-xjfw-5vv5-vjq2/GHSA-xjfw-5vv5-vjq2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xjfw-5vv5-vjq2

Aliases

CVE-2022-29258

Published

2022-06-01T20:25:54Z

Modified

2023-11-08T04:09:12.720581Z

Severity

7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N CVSS Calculator

Summary

Cross-site Scripting in Filter Stream Converter Application in XWiki Platform

Details

Impact

We found a possible XSS vector in the Filter.FilterStreamDescriptorForm wiki page related to pretty much all the form fields printed in the home page of the application.

Patches

The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.

Workarounds

The easiest workaround is to edit the wiki page Filter.FilterStreamDescriptorForm (with wiki editor) and change the lines

          <input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$request.get($descriptorId)#else$descriptor.defaultValue#end"/>
        #else
          &lt;input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$request.get($descriptorId)"#end/>

into

          <input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$escapetool.xml($request.get($descriptorId))#else$descriptor.defaultValue#end"/>
        #else
          &lt;input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$escapetool.xml($request.get($descriptorId))"#end/>

Database specific

{
    "nvd_published_at": "2022-05-31T17:15:00Z",
    "github_reviewed_at": "2022-06-01T20:25:54Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ]
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-filter-ui

Package

Name: org.xwiki.platform:xwiki-platform-filter-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-filter-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.4.4

Fixed

12.10.11

Maven / org.xwiki.platform:xwiki-platform-filter-ui

Package

Name: org.xwiki.platform:xwiki-platform-filter-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-filter-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.0.0

Fixed

13.4.7

Maven / org.xwiki.platform:xwiki-platform-filter-ui

Package

Name: org.xwiki.platform:xwiki-platform-filter-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-filter-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.5.0

Fixed

13.10.3