CVE-2022-23622

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 12.10.11 XWiki Platform versions prior to 13.4.7 XWiki Platform versions prior to 13.10.3 XWiki Platform versions prior to 14.0-rc-1

Description The issue is related to a cross-site scripting (XSS) vector in the registerinline.vm template, specifically with the xredirect hidden field. This template is used when the wiki is open to registration for anyone and closed to view for Guest users, or when the XWiki.Registration page is forbidden in View for guest users. Administrators can obtain the second condition by checking the "Prevent unregistered users from viewing pages, regardless of the page rights" box in the administration rights.

Recommendations For versions prior to 12.10.11, apply a patch in the registerinline.vm template to check the value of the xredirect field. For versions prior to 13.4.7, apply a patch in the registerinline.vm template to check the value of the xredirect field. For versions prior to 13.10.3, apply a patch in the registerinline.vm template to check the value of the xredirect field. For versions prior to 14.0-rc-1, apply a patch in the registerinline.vm template to check the value of the xredirect field. As a temporary workaround, ensure "Prevent unregistered users from viewing pages, regardless of the page rights" is not checked in the rights and apply a better right scheme using groups and rights on spaces.