CVE-2022-29258
Cross-site Scripting in Filter Stream Converter Application in XWiki Platform
Description
### Impact We found a possible XSS vector in the `Filter.FilterStreamDescriptorForm` wiki page related to pretty much all the form fields printed in the home page of the application. ### Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. ### Workarounds The easiest workaround is to edit the wiki page `Filter.FilterStreamDescriptorForm` (with wiki editor) and change the lines ``` <input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$request.get($descriptorId)#else$descriptor.defaultValue#end"/> #else <input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$request.get($descriptorId)"#end/> ``` into ``` <input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$escapetool.xml($request.get($descriptorId))#else$descriptor.defaultValue#end"/> #else <input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$escapetool.xml($request.get($descriptorId))"#end/> ```
How to fix CVE-2022-29258
To remediate CVE-2022-29258, upgrade the affected package to a fixed version below.
- —upgrade to 12.10.11 or later
Is CVE-2022-29258 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.4.4, < 12.10.11