CVE-2022-36098 : XWiki Platform Mentions UI is a user interface for mentioning users in wiki cont

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject.

Published 2022-09-08 21:15:08

Updated 2022-09-13 19:37:37

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2022-36098

Xwiki » Xwiki
Versions from including (>=) 14.0 and before (<) 14.4
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions
Xwiki » Xwiki
Versions from including (>=) 12.5 and before (<) 13.10.6
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36098

EPSS FAQ

23.34%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 96 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36098

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	2.3	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
8.9	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L	2.3	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: Low

CWE ids for CVE-2022-36098

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-36098

https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162eb

XWIKI-19752: Improved mentions macro escaping · xwiki/xwiki-platform@4f290d8 · GitHub
Patch;Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9v

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in org.xwiki.platform:xwiki-platform-mentions-ui · Advisory · xwiki/xwiki-platform · GitHub
Exploit;Patch;Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19752

[XWIKI-19752] Privilege escalation (PR) from view rights through the mentions macro - XWiki.org JIRA
Exploit;Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/4032dc896857597efd169966dc9e2752a9fdd459#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610

XWIKI-19752: Improved mentions macro escaping · xwiki/xwiki-platform@4032dc8 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36098

Products affected by CVE-2022-36098

Exploit prediction scoring system (EPSS) score for CVE-2022-36098

CVSS scores for CVE-2022-36098

CWE ids for CVE-2022-36098

References for CVE-2022-36098