CVE-2022-36096

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.6 and 14.3

Description The XWiki Platform Index UI allows storing JavaScript that will be executed by anyone viewing the deleted attachments index with an attachment containing JavaScript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. For example, an attachment with a name like ><img src=1 onerror=alert(1)>.jpg will execute the alert.

Recommendations For versions prior to 13.10.6 and 14.3, update to version 13.10.6 or 14.3 to resolve the issue. As a temporary workaround, modify the vulnerability by editing the wiki page XWiki.DeletedAttachments with the object editor, open the JavaScriptExtension object and apply on the content the changes that can be found on the fix commit.