CVE-2022-36098
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in maven/org.xwiki.platform/xwiki-platform-mentions-ui
GHSA-c5v8-2q4r-5w9v, CVE-2022-36098
maven/org.xwiki.platform/xwiki-platform-mentions-ui
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject.
All versions starting from 12.5-rc-1 before 13.10.6, all versions starting from 14.0 before 14.4
Upgrade to versions 13.10.6, 14.4 or above.
2022-09-19
| source |