Critical severityNVD Advisory· Published Nov 23, 2022· Updated Apr 22, 2025

XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

CVE-2022-41928

Description

XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties. This has been patched in versions 13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-attachment-uiMaven	>= 5.0-milestone-1, < 13.10.7	13.10.7
org.xwiki.platform:xwiki-platform-attachment-uiMaven	>= 14.0.0, < 14.4.2	14.4.2

Affected products

Xwiki/Xwiki Platformv5
Range: >= 5.0-milestone-1, < 13.10.7

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-9hqh-fmhg-vq2jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-41928ghsaADVISORY
github.com/xwiki/xwiki-platform/security/advisories/GHSA-9hqh-fmhg-vq2jghsaWEB
jira.xwiki.org/browse/XWIKI-19800ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.005
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000