PT-2022-23187 · Xwiki · Xwiki Platform
Manuel Leduc
·
Published
2022-09-08
·
Updated
2022-09-16
·
CVE-2022-36097
CVSS v3.1
8.9
High
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions 14.0-rc-1 through 14.4-rc-1
Description
The issue allows storing JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. For example, an attachment with name
><img src=1 onerror=alert(1)>.jpg will execute the alert. This is possible due to the lack of proper sanitization of attachment names.Recommendations
For versions 14.0-rc-1 through 14.4-rc-1, update to XWiki 14.4-rc-1 to resolve the issue.
As a temporary workaround for versions 14.0-rc-1 through 14.4-rc-1, copy
moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replace the vulnerable code with the patched code, specifically replacing#set($titleToDisplay = $services.localization.render('attachment.move.title',
[$attachment.name, $escapetool.xml($doc.plainTitle), $doc.getURL()]))with
#set($titleToDisplay = $services.localization.render('attachment.move.title', [
$escapetool.xml($attachment.name),
$escapetool.xml($doc.plainTitle),
$escapetool.xml($doc.getURL())
]))Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xwiki Platform