CVE-2022-36095
published 2022-09-08CVE-2022-36095: XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding…
PriorityP418medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.32%
24.2th percentile
XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the `documentTags.vm` template in one's filesystem, to apply the changes exposed there.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 14.0 < 14.3 | 14.3 |
| xwiki | xwiki | >= 2.3 < 13.10.6 | 13.10.6 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XWiki Cross-Site Request Forgery (CSRF) for actions on tags
ghsa·2022-09-16
CVE-2022-36095 [MEDIUM] CWE-352 XWiki Cross-Site Request Forgery (CSRF) for actions on tags
XWiki Cross-Site Request Forgery (CSRF) for actions on tags
### Impact
It's possible to perform a CSRF attack for adding or removing tags on XWiki pages.
### Patches
The problem has been patched in XWiki 13.10.5 and 14.3.
### Workarounds
It's possible to fix the issue without upgrading by locally modifying the documentTags.vm template in your filesystem, to apply the changes exposed there: https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae.
### References
https://jira.xwiki.org/browse/XWIKI-19550
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki](https://jira.xwiki.org)
* Email us at [security ML](mailto:[email protected])
OSV
XWiki Cross-Site Request Forgery (CSRF) for actions on tags
osv·2022-09-16
CVE-2022-36095 [MEDIUM] XWiki Cross-Site Request Forgery (CSRF) for actions on tags
XWiki Cross-Site Request Forgery (CSRF) for actions on tags
### Impact
It's possible to perform a CSRF attack for adding or removing tags on XWiki pages.
### Patches
The problem has been patched in XWiki 13.10.5 and 14.3.
### Workarounds
It's possible to fix the issue without upgrading by locally modifying the documentTags.vm template in your filesystem, to apply the changes exposed there: https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae.
### References
https://jira.xwiki.org/browse/XWIKI-19550
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki](https://jira.xwiki.org)
* Email us at [security ML](mailto:[email protected])
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9aehttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhjhttps://jira.xwiki.org/browse/XWIKI-19550https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9aehttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhjhttps://jira.xwiki.org/browse/XWIKI-19550
2022-09-08
Published