PT-2022-19500 · Unknown · Xwiki Platform
Thomas Mortagne
·
Published
2022-05-25
·
Updated
2022-06-07
·
CVE-2022-29252
CVSS v3.1
7.4
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
XWiki Platform Wiki UI Main Wiki versions 5.3-milestone-2 through 12.10.10
XWiki Platform Wiki UI Main Wiki versions 13.4.6 and earlier
XWiki Platform Wiki UI Main Wiki versions 13.10.2 and earlier
XWiki Platform Wiki UI Main Wiki versions 14.0-rc-1 and earlier
Description
The issue concerns a possible cross-site scripting vector in the
WikiManager.JoinWiki wiki page related to the requestJoin field.Recommendations
For versions 5.3-milestone-2 through 12.10.10, update to version 12.10.11.
For versions 13.4.6 and earlier, update to version 13.4.7.
For versions 13.10.2 and earlier, update to version 13.10.3.
As a temporary workaround for all affected versions, edit the wiki page
WikiManager.JoinWiki and change the line <input type='hidden' name='requestJoin' value="$!request.requestJoin"/> into <input type='hidden' name='requestJoin' value="$escapetool.xml($!request.requestJoin)">.Exploit
Fix
Improper Encoding or Escaping of Output
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform