CVE-2022-36100

Name of the Vulnerable Software and Affected Versions XWiki Platform Applications Tag versions 1.7 through 13.10.5 XWiki Platform Tag UI versions prior to 13.10.6 and 14.4

Description The tags document Main.Tags in XWiki did not sanitize user inputs properly, allowing users with view rights on the document to execute arbitrary Groovy, Python, and Velocity code with programming rights. This allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki versions before 13.10.4 and 14.2, this can be combined with an authentication bypass, meaning that no rights are required to perform the attack.

Recommendations For XWiki Platform Applications Tag versions 1.7 through 13.10.5, update to version 13.10.6 or later. For XWiki Platform Tag UI versions prior to 13.10.6 and 14.4, update to version 13.10.6 or 14.4 or later. As a temporary workaround, the patch that fixes the issue can be manually applied to the document Main.Tags or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.