Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
Description
xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The patch can be manually applied by editing IconThemesCode.IconPickerMacro in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-icon-uiMaven | >= 6.4-milestone-2, < 13.10.7 | 13.10.7 |
org.xwiki.platform:xwiki-platform-icon-uiMaven | >= 14.0.0, < 14.4.2 | 14.4.2 |
Affected products
1- Range: >= 6.4-milestone-2, < 13.10.7
Patches
147eb8a5fba55XWIKI-19805: Improve parameter escaping in IconPickerMacro
1 file changed · +2 −2
xwiki-platform-core/xwiki-platform-icon/xwiki-platform-icon-ui/src/main/resources/IconThemesCode/IconPickerMacro.xml+2 −2 modified@@ -200,10 +200,10 @@ options['prefix'] = '$escapetool.javascript($xcontext.macro.params.prefix)'; #end #if("$!xcontext.macro.params.id" != '') - $('#${xcontext.macro.params.id}').xwikiIconPicker(options); + $('#${escapetool.javascript(${xcontext.macro.params.id})}').xwikiIconPicker(options); #end #if("$!xcontext.macro.params.get('class')" != '') - $('.${xcontext.macro.params.get('class')}').xwikiIconPicker(options); + $('.${escapetool.javascript(${xcontext.macro.params.get('class')})}').xwikiIconPicker(options); #end }); </script>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5j7g-cf6r-g2h7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41931ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01ghsaWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7ghsaWEB
- jira.xwiki.org/browse/XWIKI-19805ghsaWEB
News mentions
0No linked articles in our index yet.