CVE CyberSecurity Database News

CVE-2022-41928 - How Eval Injection in XWiki Platform's AttachmentSelector.xml Exposed Your Wiki (And How to Safeguard It)

Poster -

The XWiki platform is a popular open-source wiki engine widely used for knowledge management, document collaboration, and enterprise content. But in late 2022, security researchers found a serious vulnerability in XWiki’s AttachmentSelector.xml component: an Eval Injection bug tracked as CVE-2022-41928. This bug could allow attackers to execute dangerous code by sneaking malicious content into certain macro parameters—putting your whole wiki at risk.

Let me walk you through how this happened, which versions are safe, how attackers could abuse the weakness, and what you can do to secure your XWiki installation—using plain language and practical code examples.

What’s CVE-2022-41928 in Simple Terms?

This vulnerability is an Eval Injection, coming from improper handling (neutralization) of directives in dynamically evaluated code. Think of it like this: XWiki took user-supplied input and "plugged" it into code meant to run server-side, without properly filtering out dangerous stuff. So, if someone crafted a clever payload, they could hijack the process and make XWiki execute commands they chose.

Where did this happen? In the rendering of macros inside AttachmentSelector.xml, specifically via the height and alt properties—which sound innocent, but could be abused if not sanitized.

The Attack: Injecting Dangerous Code via Macro Properties

Imagine you have editing rights on a vulnerable XWiki instance. You can use the macro system to display images or attachments, specifying things like width, height, and description (alt). But if you put malicious code in "height" or "alt", that input would get plugged directly into server-side evaluation code in AttachmentSelector.xml—and executed.

Let’s say the vulnerable macro takes a user input like

{{image reference="myAttachment.png" height="200"}}

A harmless use.

But if an attacker does

{{image reference="myAttachment.png" height="200); /* malicious code here */ //"}}

Or even

{{image reference="myAttachment.png" alt="${services.scriptService.execute('groovy', 'java.lang.Runtime.getRuntime().exec(\"touch /tmp/pwned\")')}" }}

Depending on macro parsing, this could execute shell commands or server-side scripts, opening the door to:

Here’s pseudocode resembling the flawed logic

// Simplified Java example
String userInput = getMacroParameter("height");  // untrusted data!
String codeToEval = "setHeight(" + userInput + ")";
eval(codeToEval);  // Dangerous: direct evaluation of user input!

Anyone able to insert code through the userInput variable could execute arbitary logic by breaking out of the intended context.

Real-World Attack Scenarios

- Wiki Page Defacement: Malicious users add dangerous 'height' payloads to image macros, displaying whatever they want or running code.
- Privilege Escalation: If any macro runs as a higher-privilege user (e.g., admin), the attacker could hijack the server account or access confidential files.
- Worms Across Wiki: Self-replicating payloads direct other users' browsers to execute attacks—without having to touch the server again.

How Was This Patched?

The vulnerability was fixed by sanitizing and properly filtering the macro properties in AttachmentSelector.xml. The maintainers made sure “height” and “alt” parameters can’t be used to sneak in executable code.

Safe versions are:

14.5 and later

If you’re running any older version, you’re at risk!

You can check the exact code fixes applied here

- 14.5-rc-1+: Patch diff on GitHub
- 14.4.2+: Patch diff on GitHub
- 13.10.7+: Patch diff on GitHub

If you cannot do a full upgrade:

- Manually update the code for XWiki.AttachmentSelector using the patched file from the commits above.
  - Check your macros and templates for any signs of “eval”-like usage or unsanitized macro property handling.

References & Further Reading

- Original CVE Record: CVE-2022-41928
- XWiki Release Notes & Security Advisories
- OWASP: Eval Injection
- XWiki GitHub: xwiki-platform commits
- How to Patch XWiki Extension Pages

Conclusion

Sadly, even in mature platforms like XWiki, *eval* or dynamic evaluation flaws can crop up, especially when user input isn’t carefully sanitized. If you use XWiki, patch now—or update your macros to avoid untrusted code execution. And if you run any website with user-editable templates or evaluations, remember: never trust user input!

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 11/30/2022 16:38:00 UTC