Eval Injection in XWiki platform - CVE-2022-41928

 

Eval Injection in XWiki platform - CVE-2022-41928

Published: November 21, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130006
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-41928
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in AttachmentSelector.xml when rendering attachment metadata or macro properties. A remote user can supply a crafted attachment name or crafted macro property values to execute arbitrary code.

The issue can be triggered through the width, height, or alt properties of the attachmentSelector macro, and can also be reached through attachment renaming in a user profile.


How to mitigate CVE-2022-41928

Install security update from vendor's website.

Sources