{"id":"CVE-2022-36098","summary":"XWiki Platform Mentions UI vulnerable to Cross-site Scripting","details":"XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject.","aliases":["GHSA-c5v8-2q4r-5w9v"],"modified":"2026-04-10T04:49:14.746808Z","published":"2022-09-08T20:50:11Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-79"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36098.json"},"references":[{"type":"WEB","url":"https://jira.xwiki.org/browse/XWIKI-19752"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36098.json"},{"type":"ADVISORY","url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9v"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36098"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-platform/commit/4032dc896857597efd169966dc9e2752a9fdd459#diff-4fe22885f772e47d3561a05348f73921669ec12d4413b220383b73c7ae484bc4R608-R610"},{"type":"FIX","url":"https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162eb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"35cf93c39603e3b476bb3e42a04dfb1059e7fe62"},{"fixed":"c3f97150d6997ada95d919857fdc9690ed7ed316"}],"database_specific":{"versions":[{"introduced":"12.5-rc-1"},{"fixed":"13.10.6"}]}},{"type":"GIT","repo":"https://github.com/xwiki/xwiki-platform","events":[{"introduced":"d971304b0e0bf4f6dad278de89518edc17459741"},{"fixed":"5d23a4d1ec341678fa8f1c2ac60d50f0a16f5e3b"}],"database_specific":{"versions":[{"introduced":"14.0"},{"fixed":"14.4"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-36098.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"}]}