Eval Injection in XWiki platform - CVE-2022-41928
Published: November 21, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130006
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-41928
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in AttachmentSelector.xml when rendering attachment metadata or macro properties. A remote user can supply a crafted attachment name or crafted macro property values to execute arbitrary code.
The issue can be triggered through the width, height, or alt properties of the attachmentSelector macro, and can also be reached through attachment renaming in a user profile.
Remediation
Install security update from vendor's website.