GHSA-xjfw-5vv5-vjq2

Advisory Details

### Impact
We found a possible XSS vector in the `Filter.FilterStreamDescriptorForm` wiki page related to pretty much all the form fields printed in the home page of the application.

### Patches
The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.

### Workarounds
The easiest workaround is to edit the wiki page `Filter.FilterStreamDescriptorForm` (with wiki editor) and change the lines

```
<input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$request.get($descriptorId)#else$descriptor.defaultValue#end"/>
#else
<input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$request.get($descriptorId)"#end/>
```

into

```
<input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$escapetool.xml($request.get($descriptorId))#else$descriptor.defaultValue#end"/>
#else
<input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$escapetool.xml($request.get($descriptorId))"#end/>
```

Affected Packages

Maven org.xwiki.platform:xwiki-platform-filter-ui

Affected versions: 5.4.4 (fixed in 12.10.11)

Maven org.xwiki.platform:xwiki-platform-filter-ui

Affected versions: 13.0.0 (fixed in 13.4.7)

Maven org.xwiki.platform:xwiki-platform-filter-ui

Affected versions: 13.5.0 (fixed in 13.10.3)

Related CVEs

CVE-2022-29258

Cross-site Scripting in Filter Stream Converter Application in XWiki Platform

Advisory Details

Affected Packages

Related CVEs

Key Information

Dataset