Vulnerability Details CVE-2022-36098
XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.233
EPSS Ranking 95.7%
CVSS Severity
CVSS v3 Score 8.9
References
- https://github.com/xwiki/xwiki-platform/commit/4032dc896857597efd169966dc9e2752a9fdd459#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610
- https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162eb
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9v
- https://jira.xwiki.org/browse/XWIKI-19752
- https://github.com/xwiki/xwiki-platform/commit/4032dc896857597efd169966dc9e2752a9fdd459#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610
- https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162eb
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9v
- https://jira.xwiki.org/browse/XWIKI-19752
Products affected by CVE-2022-36098
-
cpe:2.3:a:xwiki:xwiki:12.10
-
cpe:2.3:a:xwiki:xwiki:12.10.1
-
cpe:2.3:a:xwiki:xwiki:12.10.10
-
cpe:2.3:a:xwiki:xwiki:12.10.11
-
cpe:2.3:a:xwiki:xwiki:12.10.2
-
cpe:2.3:a:xwiki:xwiki:12.10.3
-
cpe:2.3:a:xwiki:xwiki:12.10.4
-
cpe:2.3:a:xwiki:xwiki:12.10.5
-
cpe:2.3:a:xwiki:xwiki:12.10.6
-
cpe:2.3:a:xwiki:xwiki:12.10.7
-
cpe:2.3:a:xwiki:xwiki:12.10.8
-
cpe:2.3:a:xwiki:xwiki:12.10.9
-
cpe:2.3:a:xwiki:xwiki:12.5
-
cpe:2.3:a:xwiki:xwiki:12.5.1
-
cpe:2.3:a:xwiki:xwiki:12.6
-
cpe:2.3:a:xwiki:xwiki:12.6.1
-
cpe:2.3:a:xwiki:xwiki:12.6.2
-
cpe:2.3:a:xwiki:xwiki:12.6.3
-
cpe:2.3:a:xwiki:xwiki:12.6.4
-
cpe:2.3:a:xwiki:xwiki:12.6.5
-
cpe:2.3:a:xwiki:xwiki:12.6.6
-
cpe:2.3:a:xwiki:xwiki:12.6.7
-
cpe:2.3:a:xwiki:xwiki:12.6.8
-
cpe:2.3:a:xwiki:xwiki:12.7
-
cpe:2.3:a:xwiki:xwiki:12.7.1
-
cpe:2.3:a:xwiki:xwiki:12.8
-
cpe:2.3:a:xwiki:xwiki:12.9
-
cpe:2.3:a:xwiki:xwiki:13.0
-
cpe:2.3:a:xwiki:xwiki:13.1
-
cpe:2.3:a:xwiki:xwiki:13.10
-
cpe:2.3:a:xwiki:xwiki:13.10.1
-
cpe:2.3:a:xwiki:xwiki:13.10.2
-
cpe:2.3:a:xwiki:xwiki:13.10.3
-
cpe:2.3:a:xwiki:xwiki:13.10.4
-
cpe:2.3:a:xwiki:xwiki:13.10.5
-
cpe:2.3:a:xwiki:xwiki:13.2
-
cpe:2.3:a:xwiki:xwiki:13.3
-
cpe:2.3:a:xwiki:xwiki:13.4
-
cpe:2.3:a:xwiki:xwiki:13.4.1
-
cpe:2.3:a:xwiki:xwiki:13.4.2
-
cpe:2.3:a:xwiki:xwiki:13.4.3
-
cpe:2.3:a:xwiki:xwiki:13.4.4
-
cpe:2.3:a:xwiki:xwiki:13.4.5
-
cpe:2.3:a:xwiki:xwiki:13.4.6
-
cpe:2.3:a:xwiki:xwiki:13.4.7
-
cpe:2.3:a:xwiki:xwiki:13.5
-
cpe:2.3:a:xwiki:xwiki:13.6
-
cpe:2.3:a:xwiki:xwiki:13.7
-
cpe:2.3:a:xwiki:xwiki:13.8
-
cpe:2.3:a:xwiki:xwiki:13.9
-
cpe:2.3:a:xwiki:xwiki:14.0
-
cpe:2.3:a:xwiki:xwiki:14.1
-
cpe:2.3:a:xwiki:xwiki:14.2
-
cpe:2.3:a:xwiki:xwiki:14.2.1
-
cpe:2.3:a:xwiki:xwiki:14.3
-
cpe:2.3:a:xwiki:xwiki:14.3.1