CVE-2022-36095

XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the documentTags.vm template in one's filesystem, to apply the changes exposed there.

Published: Sep 8, 2022
Updated: May 9, 2024
CVE: CVE-2022-36095
GHSA: GHSA-fxwr-4vq9-9vhj
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
xwiki / xwiki	14.0	14.3
xwiki / xwiki	2.3	13.10.6
xwiki / xwiki	2.0-milestone2	2.0-milestone2.x
org.xwiki.platform / xwiki-platform-web-templates	2.0-milestone-1	13.10.5
org.xwiki.platform / xwiki-platform-web-templates	14.0	14.3

https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhj
https://jira.xwiki.org/browse/XWIKI-19550

Vulnerability Database

CVE-2022-36095

Deep Security Visibility Without the Complexity