Eval Injection in XWiki platform - CVE-2022-36098
Published: September 8, 2022 / Updated: May 5, 2026
Vulnerability identifier: #VU130010
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36098
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
XWiki platform
XWiki platform
Software vendor:
XWiki
XWiki
Description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the mentions macro UI when processing mention macro anchor or reference fields. A remote user can store specially crafted JavaScript or Groovy code in a mention macro field to execute arbitrary code.
The injected code is executed when a page containing the malicious mention is viewed.
Remediation
Install security update from vendor's website.