Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in XWiki platform - CVE-2022-23622
Published: February 9, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130025
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-23622
CWE-ID: CWE-80
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to cross-site scripting in the registerinline.vm template when handling the xredirect hidden field. A remote attacker can supply a crafted xredirect value to disclose sensitive information.
This template is only used when the wiki is open to registration for anyone and the registration page is forbidden in view for guest users. User interaction is required.
Remediation
Install security update from vendor's website.