Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2022-41931
HistoryNov 23, 2022 - 8:15 p.m.

CVE-2022-41931

2022-11-2320:15:10
CWE-95
[email protected]
web.nvd.nist.gov
xwiki-platform-icon-ui
eval injection
xwiki 13.10.7
14.5
14.4.2
security patch

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

62.3%

JSON

xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code (‘Eval Injection’). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The patch can be manually applied by editing IconThemesCode.IconPickerMacro in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes.

Affected configurations

NVD
Node
xwikixwikiRange6.413.10.7
OR
xwikixwikiRange14.0.014.4.2
OR
xwikixwikiMatch6.4milestone2
OR
xwikixwikiMatch6.4milestone3
OR
xwikixwikiMatch14.4.3
OR
xwikixwikiMatch14.4.4

Related

cvelist 1
github 1
osv 2
cve 1
prion 1
openvas 1
cvelist
cvelist
CVE-2022-41931 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
2022-11-23 00:00:00
github
github
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
2022-11-21 22:36:33
osv
osv
CVE-2022-41931
2022-11-23 20:15:10
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
2022-11-21 22:36:33
cve
cve
CVE-2022-41931
2022-11-23 20:15:10
prion
prion
Design/Logic Flaw
2022-11-23 20:15:00
openvas
openvas
XWiki 6.4-milestone-2 < 13.10.7, 14.x < 14.4.2 Eval Injection Vulnerability (GHSA-5j7g-cf6r-g2h7)
2022-11-24 00:00:00

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

62.3%

JSON
Related for NVD:CVE-2022-41931
cvelist1github1osv2cve1prion1openvas1