Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-fxwr-4vq9-9vhj

GitHub Security Advisory

XWiki Cross-Site Request Forgery (CSRF) for actions on tags

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
It's possible to perform a CSRF attack for adding or removing tags on XWiki pages.

### Patches
The problem has been patched in XWiki 13.10.5 and 14.3.

### Workarounds
It's possible to fix the issue without upgrading by locally modifying the documentTags.vm template in your filesystem, to apply the changes exposed there: https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae.

### References
https://jira.xwiki.org/browse/XWIKI-19550

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki](https://jira.xwiki.org)
* Email us at [security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-web-templates
Affected versions: 2.0-milestone-1 (fixed in 13.10.5)
Maven org.xwiki.platform:xwiki-platform-web-templates
Affected versions: 14.0 (fixed in 14.3)

Related CVEs

CVE-2022-36095

Key Information

GHSA ID
GHSA-fxwr-4vq9-9vhj
Published
September 16, 2022 9:04 PM
Last Modified
September 16, 2022 9:04 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.platform:xwiki-platform-web-templates
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.