Lucene search

GitHub_MCVELIST:CVE-2022-29252

HistoryMay 25, 2022 - 8:55 p.m.

CVE-2022-29252 Cross-site Scripting in XWiki Platform Wiki UI Main Wiki

2022-05-2520:55:16

CWE-116

CWE-80

GitHub_M

www.cve.org

xwiki platform

cross-site scripting

cve-2022-29252

security advisory

wiki ui

wiki manager

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

30.8%

JSON

XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the WikiManager.JoinWiki wiki page related to the “requestJoin” field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page WikiManager.JoinWiki (with wiki editor) according to the suggestion provided in the GitHub Security Advisory.

CNA Affected

[
  {
    "product": "xwiki-platform",
    "vendor": "xwiki",
    "versions": [
      {
        "status": "affected",
        "version": ">= 5.3-milestone-2, < 12.10.11"
      },
      {
        "status": "affected",
        "version": ">= 13.0, < 13.4.7"
      },
      {
        "status": "affected",
        "version": ">= 13.5, < 13.10.3"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/commit/27f839133d41877e538d35fa88274b50a1c00b9b

github.com/xwiki/xwiki-platform/security/advisories/GHSA-ph5x-h23x-7q5q

jira.xwiki.org/browse/XWIKI-19292

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

30.8%

JSON

Related for CVELIST:CVE-2022-29252