Main Vulnerability Database Vulnerabilities #VU130009

Eval Injection in XWiki platform - CVE-2022-36099

Published: September 8, 2022 / Updated: May 5, 2026

Vulnerability identifier: #VU130009

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-36099

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWikiServerClassSheet when processing a crafted URL parameter in the sheet request. A remote user can inject arbitrary wiki syntax including script macros to execute arbitrary code.

Exploitation requires view access to this sheet and to another page that has been saved with programming rights.

Remediation

Install security update from vendor's website.

Eval Injection in XWiki platform - CVE-2022-36099

Description

Remediation

External links

Please verify you're human