{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-28T03:54:57.500","vulnerabilities":[{"cve":{"id":"CVE-2022-41934","sourceIdentifier":"security-advisories@github.com","published":"2022-11-23T20:15:10.097","lastModified":"2024-11-21T07:24:06.210","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and parameters of the menu macro. The problem has been patched in XWiki 14.6RC1, 13.10.8 and 14.4.3. The patch (commit `2fc20891`) for the document `Menu.MenuMacro` can be manually applied or a XAR archive of a patched version can be imported. The menu macro was basically unchanged since XWiki 11.6 so on XWiki 11.6 or later the patch for version of 13.10.8 (commit `59ccca24a`) can most likely be applied, on XWiki version 14.0 and later the versions in XWiki 14.6 and 14.4.3 should be appropriate."},{"lang":"es","value":"XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. Cualquier usuario con derechos de visualización de documentos comúnmente accesibles, incluida la macro de menú, puede ejecutar código Groovy, Python o Velocity arbitrario en XWiki, lo que le otorga acceso completo a la instalación de XWiki debido a un escape inadecuado del contenido de la macro y los parámetros de la macro de menú. El problema se solucionó en XWiki 14.6RC1, 13.10.8 y 14.4.3. El parche (commit `2fc20891`) para el documento `Menu.MenuMacro` se puede aplicar manualmente o se puede importar un archivo XAR de una versión parcheada. La macro del menú básicamente no ha cambiado desde XWiki 11.6, por lo que en XWiki 11.6 o posterior lo más probable es que se pueda aplicar el parche para la versión 13.10.8 (commit `59ccca24a`); en XWiki versión 14.0 y posteriores, las versiones en XWiki 14.6 y 14.4.3. debería ser apropiado."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-116"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*","versionEndExcluding":"13.10.8","matchCriteriaId":"826127A0-9698-4FA6-8FFD-64C933B52A94"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*","versionStartIncluding":"14.0.0","versionEndExcluding":"14.4.3","matchCriteriaId":"CF0D4D4B-363F-4D5D-B780-1CBCC1C202B8"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:14.4.4:*:*:*:*:*:*:*","matchCriteriaId":"CDAB9E27-2E41-44EA-BBCB-8015B22272B7"},{"vulnerable":true,"criteria":"cpe:2.3:a:xwiki:xwiki:14.4.5:*:*:*:*:*:*:*","matchCriteriaId":"79B3E9A4-CAC3-4E8D-9C76-F7AE5C3385C1"}]}]}],"references":[{"url":"https://github.com/xwiki/xwiki-platform/commit/2fc20891e6c6b0ca05ee07e315e7f435e8919f8d","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/commit/59ccca24a8465a19f40c51d65fcc2c09c1edea16","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6w8h-26xx-cf8q","source":"security-advisories@github.com","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://jira.xwiki.org/browse/XWIKI-19857","source":"security-advisories@github.com","tags":["Exploit","Issue Tracking","Patch","Vendor Advisory"]},{"url":"https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/Imports#HImportingXWikipages","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/commit/2fc20891e6c6b0ca05ee07e315e7f435e8919f8d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/commit/59ccca24a8465a19f40c51d65fcc2c09c1edea16","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6w8h-26xx-cf8q","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Patch","Third Party Advisory"]},{"url":"https://jira.xwiki.org/browse/XWIKI-19857","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Patch","Vendor Advisory"]},{"url":"https://www.xwiki.org/xwiki/bin/view/Documentation/UserGuide/Features/Imports#HImportingXWikipages","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}