Critical severityNVD Advisory· Published Nov 23, 2022· Updated Apr 22, 2025
Improper Neutralization of Directives in Dynamically Evaluated Code in org.xwiki.platform:xwiki-platform-menu-ui
CVE-2022-41934
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and parameters of the menu macro. The problem has been patched in XWiki 14.6RC1, 13.10.8 and 14.4.3. The patch (commit 2fc20891) for the document Menu.MenuMacro can be manually applied or a XAR archive of a patched version can be imported. The menu macro was basically unchanged since XWiki 11.6 so on XWiki 11.6 or later the patch for version of 13.10.8 (commit 59ccca24a) can most likely be applied, on XWiki version 14.0 and later the versions in XWiki 14.6 and 14.4.3 should be appropriate.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-menu-uiMaven | < 13.10.8 | 13.10.8 |
org.xwiki.platform:xwiki-platform-menu-uiMaven | >= 14.0.0, < 14.4.3 | 14.4.3 |
Affected products
1- Range: < 13.10.8
Patches
259ccca24a846XWIKI-19857: Modernize the menu macro and add escaping
1 file changed · +38 −15
xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/main/resources/Menu/MenuMacro.xml+38 −15 modified@@ -20,7 +20,7 @@ * 02110-1301 USA, or see the FSF site: http://www.fsf.org. --> -<xwikidoc version="1.3" reference="Menu.MenuMacro" locale=""> +<xwikidoc version="1.5" reference="Menu.MenuMacro" locale=""> <web>Menu</web> <name>MenuMacro</name> <language/> @@ -41,15 +41,21 @@ = Horizontal Menu = {{velocity}} +#set ($menuTemplateDoc = $xwiki.getDocument('MenuTemplate')) {{code language="none"}} {{menu type="horizontal fixedWidth"}} -$xwiki.getDocument('MenuTemplate').content +## No way to escape content in the code macro, so just remove {, see https://jira.xwiki.org/browse/XRENDERING-13. +$menuTemplateDoc.content.replace('{', '') {{/menu}} {{/code}} {{/velocity}} {{menu type="horizontal fixedWidth"}} -{{include reference="MenuTemplate" /}} +{{velocity}} +## Include the content of the menu template. +## Escape {{ in the rendered content to be sure that the HTML macro is not closed unintentionally. +{{html}}$menuTemplateDoc.displayDocument().replace('{{', '&amp;#123;&amp;#123;'){{/html}} +{{/velocity}} {{/menu}} = Vertical Menu = @@ -63,7 +69,11 @@ $xwiki.getDocument('MenuTemplate').content {{/velocity}} {{menu type="vertical"}} -{{include reference="MenuTemplate" /}} +{{velocity}} +## Include the content of the menu template. +## Escape {{ in the rendered content to be sure that the HTML macro is not closed unintentionally. +{{html}}$menuTemplateDoc.displayDocument().replace('{{', '&amp;#123;&amp;#123;'){{/html}} +{{/velocity}} {{/menu}}</content> <object> <name>Menu.MenuMacro</name> @@ -963,7 +973,7 @@ $xwiki.getDocument('MenuTemplate').content <displayFormType>select</displayFormType> <displayType/> <name>async_cached</name> - <number>12</number> + <number>13</number> <prettyName>Cached</prettyName> <unmodifiable>0</unmodifiable> <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> @@ -976,14 +986,14 @@ $xwiki.getDocument('MenuTemplate').content <largeStorage>0</largeStorage> <multiSelect>1</multiSelect> <name>async_context</name> - <number>13</number> + <number>14</number> <prettyName>Context elements</prettyName> <relationalStorage>0</relationalStorage> - <separator> </separator> + <separator>, </separator> <separators>|, </separators> <size>5</size> <unmodifiable>0</unmodifiable> - <values>doc.reference=Document|icon.theme=Icon theme|locale=Language|request.base=Request base URL|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values> + <values>action=Action|doc.reference=Document|icon.theme=Icon theme|locale=Language|rendering.defaultsyntax=Default syntax|rendering.restricted=Restricted|rendering.targetsyntax=Target syntax|request.base=Request base URL|request.cookies|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values> <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> </async_context> <async_enabled> @@ -992,7 +1002,7 @@ $xwiki.getDocument('MenuTemplate').content <displayFormType>select</displayFormType> <displayType/> <name>async_enabled</name> - <number>11</number> + <number>12</number> <prettyName>Asynchronous rendering</prettyName> <unmodifiable>0</unmodifiable> <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> @@ -1097,6 +1107,16 @@ $xwiki.getDocument('MenuTemplate').content <unmodifiable>0</unmodifiable> <classType>com.xpn.xwiki.objects.classes.StringClass</classType> </name> + <priority> + <disabled>0</disabled> + <name>priority</name> + <number>11</number> + <numberType>integer</numberType> + <prettyName>Priority</prettyName> + <size>10</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.NumberClass</classType> + </priority> <supportsInlineMode> <disabled>0</disabled> <displayFormType>select</displayFormType> @@ -1150,21 +1170,21 @@ $xwiki.getDocument('MenuTemplate').content (% role="navigation" class="menu-horizontal-toggle" %)((( (% class="navbar-header" %)((( {{html}} - <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#$!{id}" aria-expanded="false"> + <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#$!{escapetool.xml($id)}" aria-expanded="false"> <span class="sr-only"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> {{/html}} ))) - (% id="${id}" class="menu menu-$!type collapse navbar-collapse" %)((( - $xcontext.macro.content + (% id="$!{services.rendering.escape($id, 'xwiki/2.1')}" class="menu menu-${services.rendering.escape($!type, 'xwiki/2.1')} collapse navbar-collapse" %)((( + {{wikimacrocontent/}} ))) ))) #else - (% #if ("$!id" != '') id="$id"#end class="menu menu-$!type" %)((( - $xcontext.macro.content + (% #if ("$!id" != '') id="${services.rendering.escape($id, 'xwiki/2.1')}"#end class="menu menu-${services.rendering.escape($!type, 'xwiki/2.1')}" %)((( + {{wikimacrocontent/}} ))) #end {{/velocity}}</code> @@ -1173,7 +1193,7 @@ $xwiki.getDocument('MenuTemplate').content <contentDescription>Define the menu structure using wiki syntax. Each menu item should be a list item and should contain the menu item label or link. You can use nested lists for sub-menu items.</contentDescription> </property> <property> - <contentJavaType/> + <contentJavaType>Wiki</contentJavaType> </property> <property> <contentType>Mandatory</contentType> @@ -1190,6 +1210,9 @@ $xwiki.getDocument('MenuTemplate').content <property> <name>Menu</name> </property> + <property> + <priority/> + </property> <property> <supportsInlineMode>0</supportsInlineMode> </property>
2fc20891e6c6XWIKI-19857: Modernize the menu macro and add escaping
1 file changed · +38 −15
xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/main/resources/Menu/MenuMacro.xml+38 −15 modified@@ -20,7 +20,7 @@ * 02110-1301 USA, or see the FSF site: http://www.fsf.org. --> -<xwikidoc version="1.3" reference="Menu.MenuMacro" locale=""> +<xwikidoc version="1.5" reference="Menu.MenuMacro" locale=""> <web>Menu</web> <name>MenuMacro</name> <language/> @@ -41,15 +41,21 @@ = Horizontal Menu = {{velocity}} +#set ($menuTemplateDoc = $xwiki.getDocument('MenuTemplate')) {{code language="none"}} {{menu type="horizontal fixedWidth"}} -$xwiki.getDocument('MenuTemplate').content +## No way to escape content in the code macro, so just remove {, see https://jira.xwiki.org/browse/XRENDERING-13. +$menuTemplateDoc.content.replace('{', '') {{/menu}} {{/code}} {{/velocity}} {{menu type="horizontal fixedWidth"}} -{{include reference="MenuTemplate" /}} +{{velocity}} +## Include the content of the menu template. +## Escape {{ in the rendered content to be sure that the HTML macro is not closed unintentionally. +{{html}}$menuTemplateDoc.displayDocument().replace('{{', '&amp;#123;&amp;#123;'){{/html}} +{{/velocity}} {{/menu}} = Vertical Menu = @@ -63,7 +69,11 @@ $xwiki.getDocument('MenuTemplate').content {{/velocity}} {{menu type="vertical"}} -{{include reference="MenuTemplate" /}} +{{velocity}} +## Include the content of the menu template. +## Escape {{ in the rendered content to be sure that the HTML macro is not closed unintentionally. +{{html}}$menuTemplateDoc.displayDocument().replace('{{', '&amp;#123;&amp;#123;'){{/html}} +{{/velocity}} {{/menu}}</content> <object> <name>Menu.MenuMacro</name> @@ -962,7 +972,7 @@ $xwiki.getDocument('MenuTemplate').content <displayFormType>select</displayFormType> <displayType/> <name>async_cached</name> - <number>12</number> + <number>13</number> <prettyName>Cached</prettyName> <unmodifiable>0</unmodifiable> <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> @@ -975,14 +985,14 @@ $xwiki.getDocument('MenuTemplate').content <largeStorage>0</largeStorage> <multiSelect>1</multiSelect> <name>async_context</name> - <number>13</number> + <number>14</number> <prettyName>Context elements</prettyName> <relationalStorage>0</relationalStorage> - <separator> </separator> + <separator>, </separator> <separators>|, </separators> <size>5</size> <unmodifiable>0</unmodifiable> - <values>doc.reference=Document|icon.theme=Icon theme|locale=Language|request.base=Request base URL|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values> + <values>action=Action|doc.reference=Document|icon.theme=Icon theme|locale=Language|rendering.defaultsyntax=Default syntax|rendering.restricted=Restricted|rendering.targetsyntax=Target syntax|request.base=Request base URL|request.cookies|request.parameters=Request parameters|request.url=Request URL|request.wiki=Request wiki|user=User|wiki=Wiki</values> <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> </async_context> <async_enabled> @@ -991,7 +1001,7 @@ $xwiki.getDocument('MenuTemplate').content <displayFormType>select</displayFormType> <displayType/> <name>async_enabled</name> - <number>11</number> + <number>12</number> <prettyName>Asynchronous rendering</prettyName> <unmodifiable>0</unmodifiable> <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> @@ -1096,6 +1106,16 @@ $xwiki.getDocument('MenuTemplate').content <unmodifiable>0</unmodifiable> <classType>com.xpn.xwiki.objects.classes.StringClass</classType> </name> + <priority> + <disabled>0</disabled> + <name>priority</name> + <number>11</number> + <numberType>integer</numberType> + <prettyName>Priority</prettyName> + <size>10</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.NumberClass</classType> + </priority> <supportsInlineMode> <disabled>0</disabled> <displayFormType>select</displayFormType> @@ -1149,21 +1169,21 @@ $xwiki.getDocument('MenuTemplate').content (% role="navigation" class="menu-horizontal-toggle" %)((( (% class="navbar-header" %)((( {{html}} - <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#$!{id}" aria-expanded="false"> + <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#$!{escapetool.xml($id)}" aria-expanded="false"> <span class="sr-only"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> {{/html}} ))) - (% id="${id}" class="menu menu-$!type collapse navbar-collapse" %)((( - $xcontext.macro.content + (% id="$!{services.rendering.escape($id, 'xwiki/2.1')}" class="menu menu-${services.rendering.escape($!type, 'xwiki/2.1')} collapse navbar-collapse" %)((( + {{wikimacrocontent/}} ))) ))) #else - (% #if ("$!id" != '') id="$id"#end class="menu menu-$!type" %)((( - $xcontext.macro.content + (% #if ("$!id" != '') id="${services.rendering.escape($id, 'xwiki/2.1')}"#end class="menu menu-${services.rendering.escape($!type, 'xwiki/2.1')}" %)((( + {{wikimacrocontent/}} ))) #end {{/velocity}}</code> @@ -1172,7 +1192,7 @@ $xwiki.getDocument('MenuTemplate').content <contentDescription>Define the menu structure using wiki syntax. Each menu item should be a list item and should contain the menu item label or link. You can use nested lists for sub-menu items.</contentDescription> </property> <property> - <contentJavaType/> + <contentJavaType>Wiki</contentJavaType> </property> <property> <contentType>Mandatory</contentType> @@ -1189,6 +1209,9 @@ $xwiki.getDocument('MenuTemplate').content <property> <name>Menu</name> </property> + <property> + <priority/> + </property> <property> <supportsInlineMode>0</supportsInlineMode> </property>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6w8h-26xx-cf8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41934ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/2fc20891e6c6b0ca05ee07e315e7f435e8919f8dghsaWEB
- github.com/xwiki/xwiki-platform/commit/59ccca24a8465a19f40c51d65fcc2c09c1edea16ghsaWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-6w8h-26xx-cf8qghsaWEB
- jira.xwiki.org/browse/XWIKI-19857ghsaWEB
- www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/ImportsghsaWEB
News mentions
0No linked articles in our index yet.