CVE-2022-36094

Name of the Vulnerable Software and Affected Versions XWiki Platform Web Parent POM versions 1.0 through 13.10.5 XWiki Platform Web Parent POM versions 14.0-rc-1 through 14.3

Description The issue allows storing JavaScript that will be executed by anyone viewing the history of an attachment containing JavaScript in its name. For example, an attachment with a name like ><img src=1 onerror=alert(1)>.jpg will execute the alert. This issue has been patched in XWiki 13.10.6 and 14.3RC1.

Recommendations For versions prior to 13.10.6, update to version 13.10.6 or later. For versions prior to 14.3RC1, update to version 14.3RC1 or later. As a temporary workaround, consider replacing the viewattachrev.vm file with a patched version from the patch without updating XWiki.