What is the severity of CVE-2022-36097?

CVE-2022-36097 has been rated as a high severity vulnerability due to the possibility of executing malicious JavaScript code.

How do I fix CVE-2022-36097?

To fix CVE-2022-36097, upgrade to XWiki Platform version 14.4-rc-1 or later.

What versions of XWiki are affected by CVE-2022-36097?

CVE-2022-36097 affects XWiki Platform versions from 14.0-rc-1 to 14.3.

What are the implications of CVE-2022-36097?

The implications of CVE-2022-36097 include potential unauthorized JavaScript execution, leading to security breaches.

Is there a workaround for CVE-2022-36097?

Currently, there is no documented workaround for CVE-2022-36097 other than upgrading to a fixed version.

Vulnerability/
CVE-2022-36097

high

8.9

CWE

79 80

8/9/2022

3/8/2024

CVE-2022-36097: XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form

First published: Thu Sep 08 2022(Updated: )

XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Xwiki	>=14.0<14.3

Remedy

https://github.com/xwiki/xwiki-platform/commit/fbc4bfbae4f6ce8109addb281de86a03acdb9277

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-36097?
CVE-2022-36097 has been rated as a high severity vulnerability due to the possibility of executing malicious JavaScript code.
How do I fix CVE-2022-36097?
To fix CVE-2022-36097, upgrade to XWiki Platform version 14.4-rc-1 or later.
What versions of XWiki are affected by CVE-2022-36097?
CVE-2022-36097 affects XWiki Platform versions from 14.0-rc-1 to 14.3.
What are the implications of CVE-2022-36097?
The implications of CVE-2022-36097 include potential unauthorized JavaScript execution, leading to security breaches.
Is there a workaround for CVE-2022-36097?
Currently, there is no documented workaround for CVE-2022-36097 other than upgrading to a fixed version.

agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/severity
agent/author
agent/last-modified-date
agent/remedy
agent/title
agent/event
agent/first-publish-date
agent/description
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/xwiki
canonical/xwiki
version/xwiki/14.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.