VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 8, 2022· Updated Apr 22, 2025

XWiki Platform Mentions UI vulnerable to Cross-site Scripting

CVE-2022-36098

Description

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-mentions-uiMaven
>= 12.5-rc-1, < 13.10.613.10.6
org.xwiki.platform:xwiki-platform-mentions-uiMaven
>= 14.0, < 14.414.4

Affected products

1

Patches

2
4032dc896857

XWIKI-19752: Improved mentions macro escaping

https://github.com/xwiki/xwiki-platformManuel LeducMay 20, 2022via ghsa
commit
1 file changed · +20 5
  • xwiki-platform-core/xwiki-platform-mentions/xwiki-platform-mentions-ui/src/main/resources/XWiki/Mentions/MentionsMacro.xml+20 5 modified
    @@ -409,7 +409,7 @@ blockquote.mention-quote {
         <displayFormType>select</displayFormType>
         <displayType/>
         <name>async_cached</name>
-        <number>12</number>
+        <number>13</number>
         <prettyName>Cached</prettyName>
         <unmodifiable>0</unmodifiable>
         <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType>
@@ -422,14 +422,14 @@ blockquote.mention-quote {
         <largeStorage>0</largeStorage>
         <multiSelect>1</multiSelect>
         <name>async_context</name>
-        <number>13</number>
+        <number>14</number>
         <prettyName>Context elements</prettyName>
         <relationalStorage>0</relationalStorage>
         <separator>, </separator>
         <separators>|, </separators>
         <size>5</size>
         <unmodifiable>0</unmodifiable>
-        <values>doc.reference=Document|icon.theme=Icon theme|locale=Language|rendering.defaultsyntax=Default syntax|rendering.restricted=Restricted|rendering.targetsyntax=Target syntax|request.base=Request base URL|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values>
+        <values>action=Action|doc.reference=Document|icon.theme=Icon theme|locale=Language|rendering.defaultsyntax=Default syntax|rendering.restricted=Restricted|rendering.targetsyntax=Target syntax|request.base=Request base URL|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values>
         <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType>
       </async_context>
       <async_enabled>
@@ -438,7 +438,7 @@ blockquote.mention-quote {
         <displayFormType>select</displayFormType>
         <displayType/>
         <name>async_enabled</name>
-        <number>11</number>
+        <number>12</number>
         <prettyName>Asynchronous rendering</prettyName>
         <unmodifiable>0</unmodifiable>
         <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType>
@@ -543,6 +543,16 @@ blockquote.mention-quote {
         <unmodifiable>0</unmodifiable>
         <classType>com.xpn.xwiki.objects.classes.StringClass</classType>
       </name>
+      <priority>
+        <disabled>0</disabled>
+        <name>priority</name>
+        <number>11</number>
+        <numberType>integer</numberType>
+        <prettyName>Priority</prettyName>
+        <size>10</size>
+        <unmodifiable>0</unmodifiable>
+        <classType>com.xpn.xwiki.objects.classes.NumberClass</classType>
+      </priority>
       <supportsInlineMode>
         <disabled>0</disabled>
         <displayFormType>select</displayFormType>
@@ -595,7 +605,9 @@ blockquote.mention-quote {
 #end
 #set ($link = $xwiki.getURL($reference.reference, 'view'))
 {{html}}
-&lt;a id="$anchor" class="$stringtool.join($cssClasses, ' ')" data-reference="$services.model.serialize($reference.reference, 'default')" href="$link"&gt;$content&lt;/a&gt;
+&lt;a id="$escapetool.xml($anchor)" class="$stringtool.join($cssClasses, ' ')" data-reference="$escapetool.xml($services.model.serialize($reference.reference, 'default'))" href="$escapetool.xml($link)"&gt;
+  $escapetool.xml($content)
+&lt;/a&gt;
 {{/html}}
 {{/velocity}}</code>
     </property>
@@ -620,6 +632,9 @@ blockquote.mention-quote {
     <property>
       <name>User Mention</name>
     </property>
+    <property>
+      <priority/>
+    </property>
     <property>
       <supportsInlineMode>1</supportsInlineMode>
     </property>
4f290d87a835

XWIKI-19752: Improved mentions macro escaping

https://github.com/xwiki/xwiki-platformManuel LeducMay 20, 2022via ghsa
commit
1 file changed · +3 1
  • xwiki-platform-core/xwiki-platform-mentions/xwiki-platform-mentions-ui/src/main/resources/XWiki/Mentions/MentionsMacro.xml+3 1 modified
    @@ -604,7 +604,9 @@ blockquote.mention-quote {
 #end
 #set ($link = $xwiki.getURL($reference.reference, 'view'))
 {{html}}
-&lt;a id="$anchor" class="$stringtool.join($cssClasses, ' ')" data-reference="$services.model.serialize($reference.reference, 'default')" href="$link"&gt;$content&lt;/a&gt;
+&lt;a id="$escapetool.xml($anchor)" class="$stringtool.join($cssClasses, ' ')" data-reference="$escapetool.xml($services.model.serialize($reference.reference, 'default'))" href="$escapetool.xml($link)"&gt;
+  $escapetool.xml($content)
+&lt;/a&gt;
 {{/html}}
 {{/velocity}}</code>
     </property>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.