CVE-2022-41928
Published: 23 November 2022
Summary
CVE-2022-41928 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform is affected by an eval injection vulnerability (CWE-95) in AttachmentSelector.xml that permits improper neutralization of directives in dynamically evaluated code; the flaw can also be triggered through the height or alt macro properties. The issue received a CVSS score of 9.9 and was addressed in versions 13.10.7, 14.4.2, and 14.5.
An authenticated attacker with low privileges can supply a malicious payload that is evaluated at runtime, enabling remote code execution with impacts to confidentiality, integrity, and availability across the server scope.
The GitHub Security Advisory and linked XWiki commits provide patched versions of the XWiki.AttachmentSelector document that can be applied directly to a running instance; administrators are advised to upgrade to one of the fixed releases or manually import the corrected selector code from the referenced diffs.
EPSS remained flat at 0.0594 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-7304
Vulnerability details
XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in versions…
more
13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.