Lucene search

GoogleOSV:GHSA-FXWR-4VQ9-9VHJ

HistorySep 16, 2022 - 9:04 p.m.

XWiki Cross-Site Request Forgery (CSRF) for actions on tags

2022-09-1621:04:25

Google

osv.dev

xwiki

cross-site request forgery

csrf

Impact

It’s possible to perform a CSRF attack for adding or removing tags on XWiki pages.

Patches

The problem has been patched in XWiki 13.10.5 and 14.3.

Workarounds

It’s possible to fix the issue without upgrading by locally modifying the documentTags.vm template in your filesystem, to apply the changes exposed there: https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae.

References

https://jira.xwiki.org/browse/XWIKI-19550

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki
Email us at security ML

References

github.com/xwiki/xwiki-platform

github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae

github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhj

jira.xwiki.org/browse/XWIKI-19550

nvd.nist.gov/vuln/detail/CVE-2022-36095

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

26.0%

JSON

Related for OSV:GHSA-FXWR-4VQ9-9VHJ