GCVE - cpe:2.3:a:xwiki:xwiki:2.2:milestone1:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:xwiki:xwiki:2.2:milestone1:*:*:*:*:*:*

part: a version: 2.2 update: milestone1

Vendor	Xwiki (`cdc9c0cd-6ac5-5dc0-9f52-915ebd57f20d`)
Product	Xwiki (`2fad5bf8-5703-5dac-bd8d-95a867c2e84d`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:docker/xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.767485
`pkg:github/xwiki/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.767486
`pkg:gitlab/q-phillips/xwiki-platform`	purl2cpe	2026-06-01 10:18:15.767488
`pkg:xwiki/xwiki`	purl2cpe	2026-06-01 10:18:15.767489

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2023-32071`	vulnerable	2026-06-03 14:51:57.493429	XWiki Platform vulnerable to RXSS via editor parameter - importinline template CRITICAL (9.1) XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. The easiest possible workaround is to edit file `<xwiki app>/templates/importinline.vm` and apply the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01. Published: 2023-05-09T15:42:16.143Z Updated: 2025-01-28T16:36:40.254Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j9h5-vcgv-2jfm https://github.com/xwiki/xwiki-platform/commit/28905f7f518cc6f21ea61fe37e9e1ed97ef36f01 https://app.intigriti.com/company/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-E93DFEYK https://jira.xwiki.org/browse/XWIKI-20340	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-36096`	vulnerable	2026-06-03 14:47:39.416977	XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list HIGH (8.9) The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the object editor, open the `JavaScriptExtension` object and apply on the content the changes that can be found on the fix commit. Published: 2022-09-08T20:30:13.000Z Updated: 2025-04-23T17:12:48.753Z Open on db.gcve.eu Reference links https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gjmq-x5x7-wc36 https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745 https://jira.xwiki.org/browse/XWIKI-19613	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.