First published: Thu Sep 08 2022(Updated: )
XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the `documentTags.vm` template in one's filesystem, to apply the changes exposed there.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Xwiki | >=2.3<13.10.6 | |
Xwiki | >=14.0<14.3 | |
Xwiki | =2.0-milestone2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-36095 is classified as a medium severity vulnerability due to its potential to execute a Cross-Site Request Forgery (CSRF) attack.
To fix CVE-2022-36095, upgrade XWiki to versions 13.10.5 or 14.3 or later.
CVE-2022-36095 allows attackers to add or remove tags on XWiki pages through CSRF exploitation.
CVE-2022-36095 affects XWiki versions prior to 13.10.5 and 14.3, including 2.0-milestone2.
Yes, a local modification can serve as a workaround until the upgrade is applied to resolve CVE-2022-36095.