CVE-2022-36100
published 2022-09-08CVE-2022-36100: XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
73.61%
99.4th percentile
XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This also allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki versions before 13.10.4 and 14.2, this can be combined with CVE-2022-36092, meaning that no rights are required to perform the attack. The vulnerability has been patched in versions 13.10.6 and 14.4. As a workaround, the patch that fixes the issue can be manually applied to the document `Main.Tags` or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 1.7 < 13.10.6 | 13.10.6 |
| xwiki | xwiki | >= 14.0 < 14.4 | 14.4 |
| xwiki | xwiki | >= 2.0 < 14.10.7 | 14.10.7 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa8.8HIGH
osv8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Upgrading doesn't prevent exploiting vulnerable XWiki documents
ghsa·2023-06-30·CVSS 8.8
CVE-2023-36468 [HIGH] CWE-459 Upgrading doesn't prevent exploiting vulnerable XWiki documents
Upgrading doesn't prevent exploiting vulnerable XWiki documents
### Impact
When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take [CVE-2022-36100](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x) as example - it is easily exploitable with just view rights and critical. When XWiki is upgraded from a version before the fix for it (e.g., 14.3) to a version including the fix (e.g., 14.4), the vulnerability can still be reproduced by adding `rev=1.1` to the URL used in the reproduction
OSV
Upgrading doesn't prevent exploiting vulnerable XWiki documents
osv·2023-06-30·CVSS 8.8
CVE-2023-36468 [HIGH] Upgrading doesn't prevent exploiting vulnerable XWiki documents
Upgrading doesn't prevent exploiting vulnerable XWiki documents
### Impact
When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take [CVE-2022-36100](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x) as example - it is easily exploitable with just view rights and critical. When XWiki is upgraded from a version before the fix for it (e.g., 14.3) to a version including the fix (e.g., 14.4), the vulnerability can still be reproduced by adding `rev=1.1` to the URL used in the reproduction
GHSA
XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
ghsa·2022-09-16
CVE-2022-36100 [CRITICAL] CWE-116 XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
### Impact
The tags document `Main.Tags` in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. Some versions of XWiki XML-escaped the tag (e.g., version 3.1) but this isn't a serious limitation as string literals can be delimited by `/` in Groovy and `` aren't necessary, e.g., to elevate privileges of the current user.
On
OSV
XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
osv·2022-09-16
CVE-2022-36100 [CRITICAL] XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
### Impact
The tags document `Main.Tags` in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the availability of the wiki. Some versions of XWiki XML-escaped the tag (e.g., version 3.1) but this isn't a serious limitation as string literals can be delimited by `/` in Groovy and `` aren't necessary, e.g., to elevate privileges of the current user.
On
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52xhttps://jira.xwiki.org/browse/XWIKI-19747https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52xhttps://jira.xwiki.org/browse/XWIKI-19747
2022-09-08
Published