Lucene search

GitHub_MCVELIST:CVE-2022-36095

HistorySep 08, 2022 - 8:20 p.m.

CVE-2022-36095 XWiki Cross-Site Request Forgery (CSRF) for actions on tags

2022-09-0820:20:13

CWE-352

GitHub_M

www.cve.org

xwiki

csrf

vulnerability

13.10.5

14.3

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.0%

JSON

XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the documentTags.vm template in one’s filesystem, to apply the changes exposed there.

CNA Affected

[
  {
    "product": "xwiki-platform",
    "vendor": "xwiki",
    "versions": [
      {
        "status": "affected",
        "version": ">= 2.0-milestone-1, < 13.10.5"
      },
      {
        "status": "affected",
        "version": ">= 14.0, < 14.3"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae

github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhj

jira.xwiki.org/browse/XWIKI-19550

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

4.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.0%

JSON

Related for CVELIST:CVE-2022-36095