CVE-2022-36094 HIGH

CVE-2022-36094: XWiki Platform Web Parent POM vulnerable to XSS in the attachment history

Vendor Xwiki
Product xwiki-platform
Weakness CWE-79 · XSS
Published September 8, 2022
Last update April 22, 2025
View on NVD All CVEs

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki.

Key dates

02Disclosure timeline

September 8, 2022 CVE published
April 22, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-2302 Contact Form and Calls To Action by vcita <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-3402 Stored XSS vulnerability in gaizhenbiao/chuanhuchatgpt CVE-2024-1073 SlimStat Analytics <= 5.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting CVE-2025-54746 WordPress Shortcode Redirect Plugin <= 1.0.02 - Cross Site Scripting (XSS) Vulnerability CVE-2024-10538 Happy Addons for Elementor <= 3.12.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Comparison