XWiki Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2022-36098 - Vulnerability Database

XWiki Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2022-36098

Critical

Reference: CVE-2022-36098

NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2022-36098

Title: XWiki Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability

Overview:

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4 it39s possible to store Javascript or groovy scripts in a mention macro anchor or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround one may update XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject.