xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The [patch](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) can be manually applied by editing `IconThemesCode.IconPickerMacro` in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes.
References
Link | Resource |
---|---|
https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01 | Patch Third Party Advisory |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7 | Exploit Patch Third Party Advisory |
https://jira.xwiki.org/browse/XWIKI-19805 | Exploit Issue Tracking Patch Vendor Advisory |
https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01 | Patch Third Party Advisory |
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7 | Exploit Patch Third Party Advisory |
https://jira.xwiki.org/browse/XWIKI-19805 | Exploit Issue Tracking Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:24
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01 - Patch, Third Party Advisory | |
References | () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7 - Exploit, Patch, Third Party Advisory | |
References | () https://jira.xwiki.org/browse/XWIKI-19805 - Exploit, Issue Tracking, Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.9 |
Information
Published : 2022-11-23 20:15
Updated : 2024-11-21 07:24
NVD link : CVE-2022-41931
Mitre link : CVE-2022-41931
CVE.ORG link : CVE-2022-41931
JSON object : View
Products Affected
xwiki
- xwiki
CWE
CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')