Eval Injection in XWiki platform - CVE-2022-36099

 

Eval Injection in XWiki platform - CVE-2022-36099

Published: September 8, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130009
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36099
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWikiServerClassSheet when processing a crafted URL parameter in the sheet request. A remote user can inject arbitrary wiki syntax including script macros to execute arbitrary code.

Exploitation requires view access to this sheet and to another page that has been saved with programming rights.


How to mitigate CVE-2022-36099

Install security update from vendor's website.

Sources