Eval Injection in XWiki platform - CVE-2022-36100
Published: September 8, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130008
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36100
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code with programming rights.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the Main.Tags document when handling the do=viewTag request with a user-supplied tag parameter. A remote user can send a specially crafted request to execute arbitrary code with programming rights.
On public wikis, view rights on the document are granted by default, and on private wikis authenticated users typically have the required view rights. On versions before 13.10.4 and 14.2, the issue can be chained with an authentication bypass in the login action so that no rights are required.
Remediation
Install security update from vendor's website.