{
  "schema_version": "1.4.0",
  "id": "GHSA-9r9j-57rf-f6vj",
  "modified": "2022-09-16T17:39:08Z",
  "published": "2022-09-16T17:39:08Z",
  "aliases": [
    "CVE-2022-36097"
  ],
  "summary": "XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form",
  "details": "### Impact\n\nIt's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment.\n\nFor example, an attachment with name `><img src=1 onerror=alert(1)>.jpg` will execute the alert.\n\n### Patches\nThis issue has been patched in XWiki 14.4RC1.\n\n### Workarounds\nIt is possible to fix the vulnerability by copying [moveStep1.vm](https://raw.githubusercontent.com/xwiki/xwiki-platform/xwiki-platform-14.0-rc-1/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/resources/templates/attachment/moveStep1.vm) to `webapp/xwiki/templates/moveStep1.vm` and replace \n\n```\n#set($titleToDisplay = $services.localization.render('attachment.move.title', \n  [$attachment.name, $escapetool.xml($doc.plainTitle), $doc.getURL()]))\n```\n\nby \n\n```\n#set($titleToDisplay = $services.localization.render('attachment.move.title', [\n  $escapetool.xml($attachment.name), \n  $escapetool.xml($doc.plainTitle), \n  $escapetool.xml($doc.getURL())\n]))\n```\n\nSee the corresponding [patch](https://github.com/xwiki/xwiki-platform/commit/fbc4bfbae4f6ce8109addb281de86a03acdb9277).\n\n### References\n\n- https://jira.xwiki.org/browse/XWIKI-19667\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n- Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-attachment-ui"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "14.0-rc-1"
            },
            {
              "fixed": "14.4-rc-1"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9r9j-57rf-f6vj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-36097"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/fbc4bfbae4f6ce8109addb281de86a03acdb9277"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-19667"
    },
    {
      "type": "WEB",
      "url": "https://raw.githubusercontent.com/xwiki/xwiki-platform/xwiki-platform-14.0-rc-1/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/resources/templates/attachment/moveStep1.vm"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79",
      "CWE-80"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-16T17:39:08Z",
    "nvd_published_at": "2022-09-08T21:15:00Z"
  }
}