CVE-2022-23620 MEDIUM

CVE-2022-23620: Path traversal in xwiki-platform-skin-skinx

Vendor Xwiki
Product xwiki-platform
Weakness CWE-22 · Path traversal
Published February 9, 2022
Last update April 23, 2025

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:H

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export.

Key dates

02Disclosure timeline

February 9, 2022 CVE published
April 23, 2025 Record updated

Related vulnerabilities

04Related CVE