Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14amZ3LTV2djUtdmpxMs4AArTa
Cross-site Scripting in Filter Stream Converter Application in XWiki Platform
Impact
We found a possible XSS vector in the Filter.FilterStreamDescriptorForm wiki page related to pretty much all the form fields printed in the home page of the application.
Patches
The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.
Workarounds
The easiest workaround is to edit the wiki page Filter.FilterStreamDescriptorForm (with wiki editor) and change the lines
<input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$request.get($descriptorId)#else$descriptor.defaultValue#end"/>
#else
<input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$request.get($descriptorId)"#end/>
into
<input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$escapetool.xml($request.get($descriptorId))#else$descriptor.defaultValue#end"/>
#else
<input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$escapetool.xml($request.get($descriptorId))"#end/>
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14amZ3LTV2djUtdmpxMs4AArTa
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 7.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Identifiers: GHSA-xjfw-5vv5-vjq2, CVE-2022-29258
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xjfw-5vv5-vjq2
- https://nvd.nist.gov/vuln/detail/CVE-2022-29258
- https://github.com/xwiki/xwiki-platform/commit/21906acb5ee2304552f56f9bbdbf8e7d368f7f3a
- https://jira.xwiki.org/browse/XWIKI-19293
- https://github.com/advisories/GHSA-xjfw-5vv5-vjq2
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-filter-ui
Affected Version Ranges: >= 13.5.0, < 13.10.3, >= 13.0.0, < 13.4.7, >= 5.4.4, < 12.10.11Fixed in: 13.10.3, 13.4.7, 12.10.11