Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2022-23622

 

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2022-23622

Published: February 9, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130025
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-23622
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to cross-site scripting in the registerinline.vm template when handling the xredirect hidden field. A remote attacker can supply a crafted xredirect value to disclose sensitive information.

This template is only used when the wiki is open to registration for anyone and the registration page is forbidden in view for guest users. User interaction is required.


How to mitigate CVE-2022-23622

Install security update from vendor's website.

Sources