SCA: security update for org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki (GHSA-xr6m-2p4m-jvqf)

high Tenable Self-Hosted Container Security Plugin ID 420636

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform Wiki UI Main Wiki is software for managing subwikis on XWiki Platform, a generic wiki
platform. Starting with version 5.3-milestone-2 and prior to versions 13.10.6 and 14.4, it's possible to
inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request (URL
parameter) using the `XWikiServerClassSheet` if the user has view access to this sheet and another page
that has been saved with programming rights, a standard condition on a public read-only XWiki installation
or a private XWiki installation where the user has an account. This allows arbitrary
Groovy/Python/Velocity code execution which allows bypassing all rights checks and thus both modification
and disclosure of all content stored in the XWiki installation. Also, this could be used to impact the
availability of the wiki. This has been patched in versions 13.10.6 and 14.4. As a workaround, edit the
affected document `XWiki.XWikiServerClassSheet` or `WikiManager.XWikiServerClassSheet` and manually
perform the changes from the patch fixing the issue. On XWiki versions 12.0 and later, it is also possible
to import the document `XWiki.XWikiServerClassSheet` from the xwiki-platform-wiki-ui-mainwiki package
version 14.4 using the import feature of the administration application as there have been no other
changes to this document since XWiki 12.0. (CVE-2022-36099)

See Also

https://github.com/advisories/GHSA-xr6m-2p4m-jvqf

Plugin Details

Severity: High

ID: 420636

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-36099

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/16/2022

Vulnerability Publication Date: 9/8/2022

Reference Information

CVE: CVE-2022-36099