CVE-2022-36097: 
Java vulnerability analysis and mitigation

CVE-2022-36097 affects XWiki Platform's Attachment UI, a macro designed for uploading and selecting attachments. The vulnerability was discovered in versions from 14.0-rc-1 to prior to 14.4-rc-1, where it was possible to store JavaScript in an attachment name that would be executed when users attempt to move the corresponding attachment. The issue was patched in XWiki 14.4-rc-1 (GitHub Advisory).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue, specifically related to improper neutralization of script-related HTML tags (CWE-80) and improper neutralization of input during web page generation (CWE-79). The CVSS v3.1 base score is 8.9 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L, indicating a network-accessible vulnerability with low attack complexity requiring low privileges and user interaction (GitHub Advisory).

When exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers when they attempt to move an attachment. For example, an attachment with a specially crafted name containing JavaScript code would trigger code execution when accessed through the move attachment functionality (GitHub Advisory).

The primary mitigation is to upgrade to XWiki version 14.4-rc-1 or later. For users unable to upgrade immediately, a workaround is available by copying moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replacing the vulnerable code with proper escaping of the attachment name, document title, and URL in the title display configuration (GitHub Advisory).