Main Vulnerability Database Vulnerabilities #VU129999

Eval Injection in XWiki platform - CVE-2022-41934

Published: November 21, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU129999

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-41934

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the menu macro when processing macro content and parameters. A remote user can inject crafted Groovy, Python, or Velocity code to execute arbitrary code.

The issue affects commonly accessible documents that include the menu macro and can lead to full access to the XWiki installation.

Remediation

Install security update from vendor's website.

Eval Injection in XWiki platform - CVE-2022-41934

Description

Remediation

External links

Please verify you're human