cbcvebase.
CVE-2022-36097
published 2022-09-08

CVE-2022-36097: XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version…

PriorityP346medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
57.39%
99.0th percentile
XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.

Affected

2 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 14.0 < 14.314.3
xwikixwiki-platform
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.