CVE-2022-41931 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui

xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code 'Eval Injection'. Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper...

CVE-2022-41928

XWiki Platform is affected by an Eval Injection in the AttachmentSelector.xml (directives in dynamically evaluated code). The vulnerability can also be triggered by payloads in height or alt macro properties. Patched in XWiki Platform releases: 13.10.7+, 14.4.2+, and 14.5. The recommended fix is ...

CVE-2022-41931

CVE-2022-41931 affects xwiki-platform-icon-ui. It enables Eval Injection through the iconPicker macro, allowing an authenticated user with view rights on common documents to run arbitrary Groovy/Python/Velocity code due to improper neutralization of macro parameters. The vulnerability is fixed in...

CVE-2022-41928 XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code 'Eval Injection' in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties. This has been patched in versions 13.10.7, 14.4.2...

CVE-2022-41928 XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code 'Eval Injection' in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties. This has been patched in versions 13.10.7, 14.4.2...

GHSA-6W8H-26XX-CF8Q Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-menu-ui

Impact Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and parameters of the menu macro. The issue can ...

GHSA-9HQH-FMHG-VQ2J Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Impact Any user with the right to edit his personal page can follow one of the scenario below: Scenario 1: - Log in as a simple user with just edit rights on the user profile - Go to the user's profile - Upload an attachment in the attachment tab at the bottom of the page any image is fine - Clic...

Dolibarr vulnerable to Eval Injection

Dolibarr ERP & CRM =15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

GHSA-7CM4-VMF2-8WF2 Dolibarr vulnerable to Eval Injection

Dolibarr ERP & CRM =15.0.3 are vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

CVE-2022-40871

Dolibarr ERP & CRM =15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

CVE-2022-40871

Dolibarr ERP & CRM =15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

Design/Logic Flaw

Dolibarr ERP & CRM =15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

CVE-2022-40871

Dolibarr ERP & CRM =15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

UBUNTU-CVE-2022-40871

Dolibarr ERP & CRM =15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

CVE-2022-40871

Dolibarr ERP & CRM =15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

PT-2022-25596 · Unknown · Dolibarr Erp/Crm

Name of the Vulnerable Software and Affected Versions: Dolibarr ERP & CRM versions =15.0.3 Description: The issue allows malicious code to be inserted into the database and then executed by eval. By default, any administrator can be added to the installation page of dolibarr, and if successfully...

CVE-2022-40871

Dolibarr ERP & CRM =15.0.3 is vulnerable to Eval injection. By default, any administrator can be added to the installation page of dolibarr, and if successfully added, malicious code can be inserted into the database and then execute it by eval...

CVE-2022-40871

CVE-2022-40871 affects Dolibarr ERP & CRM

GHSA-XR6M-2P4M-JVQF XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability

Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request URL parameter using the XWikiServerClassSheet if the user has view access to this sheet and another page that has been saved with programming rights, a standard condition on a...

GHSA-2G5C-228J-P52X XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection

Impact The tags document Main.Tags in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document default in a public wiki or for authenticated users on private wikis to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassi...