CVE-2022-36095: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, was found to be vulnerable to Cross-Site Request Forgery (CSRF) attacks prior to versions 13.10.5 and 14.3. The vulnerability (CVE-2022-36095) allowed attackers to perform unauthorized actions for adding or removing tags on XWiki pages. The issue was discovered in version 2.0 M2 and affected all subsequent versions until the patch release (GitHub Advisory, NVD).

The vulnerability stemmed from improper CSRF token validation in the tag management functionality. While the CSRF token was included in the form for adding tags, it was not properly validated on the server side. This allowed unauthorized tag modifications through specific URL endpoints: '/xwiki/bin/view/Main/?xpage=documentTags&xaction=add' for adding tags and '/xwiki/bin/view/Main/?xpage=documentTags&xaction=delete' for removing tags. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability allowed attackers to manipulate tags on XWiki pages without proper authorization. This could lead to unauthorized modification of page metadata and potential disruption of content organization within the wiki system (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.5 and 14.3. For users unable to upgrade immediately, a workaround is available by locally modifying the documentTags.vm template in the filesystem to implement proper CSRF token validation, as detailed in the patch commit (GitHub Commit, GitHub Advisory).