CVE-2022-29258 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2022-29258?

CVE-2022-29258 has a CVSS score of 7.4 (HIGH). This CVE describes a cross-site scripting (XSS) vulnerability in XWiki Platform Filter UI that allows attackers to inject malicious scripts into form fields on the application's home page. When exploited, this could lead to session hijacking, credential theft, or unauthorized actions. Affected users are those running XWiki versions 6.0-milestone-2 through 5.4.4 and prior to 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in XWiki Platform Filter UI that allows attackers to inject malicious scripts into form fields on the application's home page. When exploited, this could lead to session hijacking, credential theft, or unauthorized actions. Affected users are those running XWiki versions 6.0-milestone-2 through 5.4.4 and prior to 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3.

💻 Affected Systems

Products:

XWiki Platform Filter UI

Versions: 6.0-milestone-2 through 5.4.4 and prior to 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Filter.FilterStreamDescriptorForm wiki page where form fields are printed without proper sanitization.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data exfiltration, or administrative privilege escalation through session hijacking or credential theft.

🟠

Likely Case

Session hijacking leading to unauthorized access to user accounts and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place, potentially only affecting non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, especially when unauthenticated access is possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.10.11, 14.0-rc-1, 13.4.7, or 13.10.3

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xjfw-5vv5-vjq2

Restart Required: Yes

Instructions:

1. Upgrade XWiki to version 12.10.11, 14.0-rc-1, 13.4.7, or 13.10.3. 2. Restart the XWiki service. 3. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Manual Wiki Page Edit

all

Edit the Filter.FilterStreamDescriptorForm wiki page to apply security fixes as per GitHub advisory instructions.

Edit Filter.FilterStreamDescriptorForm page using wiki editor with instructions from GitHub advisory

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block XSS payloads
Apply input validation and output encoding at the application layer

🔍 How to Verify

Check if Vulnerable:

Check XWiki version against affected ranges: 6.0-milestone-2 through 5.4.4 and versions prior to 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3.

Check Version:

Check XWiki administration panel or configuration files for version information.

Verify Fix Applied:

Verify XWiki version is 12.10.11, 14.0-rc-1, 13.4.7, or 13.10.3 or later.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to Filter.FilterStreamDescriptorForm with script tags or JavaScript payloads
Error logs showing malformed input in form fields

Network Indicators:

HTTP requests containing script tags or JavaScript in form field parameters

SIEM Query:

source="xwiki" AND (http_method="POST" AND uri="*Filter.FilterStreamDescriptorForm*" AND (content="<script>" OR content="javascript:"))

📊 Metadata

CVE ID: CVE-2022-29258

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CWE: CWE-80

Published: May 31, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/xwiki/xwiki-platform/commit/21906acb5ee2304552f56f9bbdbf8e7d368f7f3a Patch,Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xjfw-5vv5-vjq2 Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19293 Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/21906acb5ee2304552f56f9bbdbf8e7d368f7f3a Patch,Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xjfw-5vv5-vjq2 Third Party Advisory
https://jira.xwiki.org/browse/XWIKI-19293 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-29258, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Xwiki by Xwiki

Xwiki by Xwiki

Xwiki by Xwiki

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Manual Wiki Page Edit

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities