CVE-2022-36095

Cross-Site Request Forgery (CSRF) in maven/org.xwiki.platform/xwiki-platform-web-templates

Identifiers

GHSA-fxwr-4vq9-9vhj, CVE-2022-36095

Package Slug

maven/org.xwiki.platform/xwiki-platform-web-templates

Vulnerability

Cross-Site Request Forgery (CSRF)

Description

XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the documentTags.vm template in one's filesystem, to apply the changes exposed there.

Affected Versions

All versions starting from 2.0-milestone-1 before 13.10.5, all versions starting from 14.0 before 14.3

Solution

Upgrade to versions 13.10.5, 14.3 or above.

Last Modified

2022-09-19

source