SCA: security update for org.xwiki.platform:xwiki-platform-tag-ui (GHSA-2g5c-228j-p52x)

high Tenable Self-Hosted Container Security Plugin ID 408901

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki
platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in
XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This
allowed users with view rights on the document (default in a public wiki or for authenticated users on
private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. This also
allowed bypassing all rights checks and thus both modification and disclosure of all content stored in the
XWiki installation. The vulnerability could be used to impact the availability of the wiki. On XWiki
versions before 13.10.4 and 14.2, this can be combined with CVE-2022-36092, meaning that no rights are
required to perform the attack. The vulnerability has been patched in versions 13.10.6 and 14.4. As a
workaround, the patch that fixes the issue can be manually applied to the document `Main.Tags` or the
updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the
import feature in the administration UI on XWiki 10.9 and later. (CVE-2022-36100)

See Also

https://github.com/advisories/GHSA-2g5c-228j-p52x

Plugin Details

Severity: High

ID: 408901

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.54

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-36100

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/16/2022

Vulnerability Publication Date: 9/8/2022

Reference Information

CVE: CVE-2022-36100