CVE-2022-36096
Published: 08 September 2022
Summary
CVE-2022-36096 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.9 (High).
Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a stored cross-site scripting flaw (CWE-79/CWE-80) in the XWiki Platform Index UI, specifically the deleted attachments index page. It affects XWiki Platform versions prior to 13.10.6 and 14.3, where JavaScript embedded in an attachment filename is stored and later executed in the browser of any user who views the index.
An attacker with low privileges can upload or create an attachment whose name contains malicious JavaScript. When another user subsequently views the deleted attachments index, the script executes with the viewing user's permissions, enabling theft of sensitive data, account takeover, or other actions that produce high confidentiality and integrity impact along with limited availability impact.
The issue was fixed in XWiki 13.10.6 and 14.3. The project advisory and associated commits describe a workaround that consists of editing the XWiki.DeletedAttachments wiki page via the object editor, locating the JavaScriptExtension object, and applying the sanitization changes present in the patch commit.
EPSS reached a peak of 0.5451 before receding to the current value of 0.4425, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6824
Vulnerability details
The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed…
more
by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the fix commit.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.