Description
XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the `documentTags.vm` template in one's filesystem, to apply the changes exposed there.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhj
Patch, Third Party Advisory x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae
Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-19550
Scores
CVSS v3
4.3
EPSS
0.0011
EPSS Percentile
29.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (3)
org.xwiki.platform/xwiki-platform-web-templates
2.0-milestone-1 - 13.10.5Maven
xwiki/xwiki
2.0 milestone2
xwiki/xwiki
2.3 - 13.10.6
Published
Sep 08, 2022
Tracked Since
Feb 18, 2026