Eval Injection in XWiki platform - CVE-2022-36098

 

Eval Injection in XWiki platform - CVE-2022-36098

Published: September 8, 2022 / Updated: May 5, 2026


Vulnerability identifier: #VU130010
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-36098
CWE-ID: CWE-95
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the mentions macro UI when processing mention macro anchor or reference fields. A remote user can store specially crafted JavaScript or Groovy code in a mention macro field to execute arbitrary code.

The injected code is executed when a page containing the malicious mention is viewed.


How to mitigate CVE-2022-36098

Install security update from vendor's website.

Sources