Cyber Resilience

CVE-2022-36097

HighPublic PoC

Published: 08 September 2022

Published
08 September 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
EPSS Score 0.2183 95.9th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36097 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.9 (High).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform Attachment UI, a component of the generic wiki platform XWiki, contains a stored cross-site scripting vulnerability. Versions from 14.0-rc-1 up to but not including 14.4-rc-1 allow JavaScript to be persisted in an attachment filename; the script executes in the browser of any user who later attempts to move that attachment. The flaw is tracked under CWE-79 and CWE-80 and carries a CVSS 3.1 score of 8.9.

An authenticated user with attachment-creation privileges can upload a file whose name contains executable script. When another user with move rights opens the move dialog for that attachment, the script runs with the victim’s session privileges, enabling theft of sensitive data, account takeover, or other actions within the wiki’s security context.

The project’s security advisory and the associated patch commit state that the issue is fixed in XWiki 14.4-rc-1. Administrators unable to upgrade immediately are advised to copy the template moveStep1.vm into the web application directory and replace the vulnerable code with the version supplied in the patch.

EPSS for the CVE rose from a low baseline after disclosure to a peak of 0.4419 on 2025-12-11 before receding to the current value of 0.2183, indicating a clear increase in observed exploitation interest well after the original publication date.

EU & UK References

Vulnerability details

XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be…

more

executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
14.0 — 14.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References