{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-13T03:19:22.546","vulnerabilities":[{"cve":{"id":"CVE-2022-41931","sourceIdentifier":"security-advisories@github.com","published":"2022-11-23T20:15:10.023","lastModified":"2024-11-21T07:24:05.783","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The [patch](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) can be manually applied by editing `IconThemesCode.IconPickerMacro` in the object editor. The whole document can also be replaced by the current version by importing the document from the XAR archive of a fixed version as the only changes to the document have been security fixes and small formatting changes."},{"lang":"es","value":"xwiki-platform-icon-ui es vulnerable a una Neutralización Inadecuada de Directivas en Código Evaluado Dinámicamente (\"Inyección de Evaluación\"). Cualquier usuario con derechos de visualización de documentos comúnmente accesibles, incluida la macro del selector de iconos, puede ejecutar código Groovy, Python o Velocity arbitrario en XWiki debido a una neutralización inadecuada de los parámetros macro de la macro del recolector de iconos. El problema se solucionó en XWiki 13.10.7, 14.5 y 14.4.2. Workarounds: el [parche](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01) se puede aplicar manualmente editando `IconThemesCode.IconPickerMacro` en el editor de objetos. El documento completo también se puede reemplazar por la versión actual importando el documento desde el archivo XAR de una versión fija, ya que los únicos cambios en el documento han sido correcciones de seguridad y pequeños cambios de formato."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-95"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*","versionStartExcluding":"6.4","versionEndExcluding":"13.10.7","matchCriteriaId":"A2983665-C5BF-4D43-983A-585BA30399E7"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"14.4.2","matchCriteriaId":"B5DF0A47-B3DD-4A49-BA56-35374D029F02"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:6.4:milestone2:*:*:*:*:*:*","matchCriteriaId":"2ED3CF77-5A0B-4A1C-9F83-B5851D415D3E"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:6.4:milestone3:*:*:*:*:*:*","matchCriteriaId":"34004E8E-213E-4D7F-A6BF-953A5A5C3CA6"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:14.4.3:*:*:*:*:*:*:*","matchCriteriaId":"C9646DA8-7C5A-458E-975C-A67099D43047"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:14.4.4:*:*:*:*:*:*:*","matchCriteriaId":"CDAB9E27-2E41-44EA-BBCB-8015B22272B7"}]}]}],"references":[{"url":"https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7","source":"security-advisories@github.com","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://jira.xwiki.org/browse/XWIKI-19805","source":"security-advisories@github.com","tags":["Exploit","Issue Tracking","Patch","Vendor Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://jira.xwiki.org/browse/XWIKI-19805","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Patch","Vendor Advisory"]}]}}]}