{"id":"CVE-2022-36097","summary":"XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form","details":"XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.","aliases":["GHSA-9r9j-57rf-f6vj"],"modified":"2026-03-01T07:55:11.740378Z","published":"2022-09-08T20:35:11Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36097.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-79","CWE-80"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36097.json"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-platform/commit/fbc4bfbae4f6ce8109addb281de86a03acdb9277"},{"type":"ADVISORY","url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9r9j-57rf-f6vj"},{"type":"WEB","url":"https://jira.xwiki.org/browse/XWIKI-19667"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36097"},{"type":"WEB","url":"https://raw.githubusercontent.com/xwiki/xwiki-platform/xwiki-platform-14.0-rc-1/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/resources/templates/attachment/moveStep1.vm"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-commons","events":[{"introduced":"491547c4f74b9be58123ef22081ae7e6840a11c7"},{"fixed":"58bca6b6f0fb325008ef9147d3c0cdda3e1e306b"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36097.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"d971304b0e0bf4f6dad278de89518edc17459741"},{"fixed":"585702c6749495ff837c791127e584668be87d74"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36097.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"}]}