Eval Injection in XWiki platform - CVE-2022-41931
Published: November 21, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130003
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-41931
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary Groovy, Python or Velocity code in XWiki.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the icon picker macro when processing macro parameters. A remote user can supply crafted macro parameter values to execute arbitrary Groovy, Python or Velocity code in XWiki.
Exploitation requires view rights on commonly accessible documents that include the icon picker macro.
Remediation
Install security update from vendor's website.