CVE-2022-36098

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 12.5-rc-1 through 13.10.5 XWiki Platform versions 12.5-rc-1 through 14.3

Description The XWiki Platform Mentions UI allows storing Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject.

Recommendations For XWiki Platform versions 12.5-rc-1 through 13.10.5, update to version 13.10.6. For XWiki Platform versions 12.5-rc-1 through 14.3, update to version 14.4. As a temporary workaround, consider updating XWiki.Mentions.MentionsMacro and editing the Macro code field of the XWiki.WikiMacroClass XObject to fix the vulnerability. Restrict access to the XWiki.Mentions.MentionsMacro macro to minimize the risk of exploitation. Avoid using the reference field in the affected mention macro until the issue is resolved.