XWiki is a popular open-source wiki and knowledge management platform used by thousands of teams and organizations worldwide. However, in late 2022, a serious security vulnerability—CVE-2022-41931—was discovered in xwiki-platform-icon-ui, a module that helps display icons throughout XWiki pages. This vulnerability is particularly concerning because it allows almost any user to execute arbitrary code on the XWiki server.
If you use XWiki or develop with it, you need to understand the implications of this vulnerability, how exploit works, and how to patch or mitigate it.
What is CVE-2022-41931?
CVE-2022-41931 is an “Eval Injection” bug, which means an attacker can inject code—like Groovy, Python, or Velocity—straight into your XWiki server by abusing the Icon Picker Macro.
Normally, macros are powerful features that let you embed dynamic content into XWiki documents. But if the developers don't properly “neutralize” (sanitize or escape) input, they open the door to malicious macro parameters. That’s exactly what happened here.
Technical Details & Proof-of-Concept
In XWiki, macros can be called with parameters. The Icon Picker Macro failed to properly sanitize its parameters, so attackers could inject their own scripts. For example, imagine a macro call in XWiki syntax:
{{iconPickerMacro parameter="..."}}
A malicious user could submit something like
{{iconPickerMacro parameter="${{groovy: 'whoami'.execute().text}}"}}
In some cases, that would execute on the server and display the result of whoami—potentially giving away sensitive information or letting an attacker do worse.
Here’s a simplified snippet showing what a vulnerable macro might look like using Groovy
// BAD! Directly uses untrusted input in eval
def userInput = doc.getParameter('parameter')
def result = Eval.me(userInput)
println result
With improper checks, whatever the user adds as parameter gets executed as code.
Find a page with the Icon Picker Macro - Since many pages include icons, this isn't hard.
2. Edit a page to add a malicious parameter - Even if the user can only "view," some setups allow template-based injection or stored XSS via comments or editable template pages.
3. Execute arbitrary code - Once their code is in, they can exfiltrate data, run system commands, or pivot to deeper privilege escalation.
Real-World Example
{{iconPickerMacro parameter="#set($x=#request.get('cmd'))#if($x)$x#end"}}
If an attacker points their browser to the wiki with ?cmd=whoami, it could display the result of that command (or worse). This example uses Velocity, but the attack works with Groovy or Python too if enabled.
How Was CVE-2022-41931 Fixed?
The XWiki team patched the bug quickly. The fix neutralizes (escapes) macro parameters so they can’t be interpreted as code.
Patched versions: 13.10.7, 14.5, and 14.4.2
- See the official patch here (GitHub)
If you cannot update, you can manually patch by editing the IconThemesCode.IconPickerMacro in the object editor as per the official commit.
Another workaround: Replace the entire macro document by importing it from a fixed XAR archive.
Install version 13.10.7, 14.5, or 14.4.2 (or later)
- Download from XWiki.org Download page
Go to IconThemesCode.IconPickerMacro
- Use the patch diff as a guide
References and More Reading
- Official CVE entry: NVD - CVE-2022-41931
- XWiki Security Advisory: XWIKI-2022-41931 *(when available)*
- GitHub Patch: xwiki-platform commit
- How XWiki macros work: XWiki Macros Documentation
Summing Up
CVE-2022-41931 is a dangerous vulnerability in XWiki's icon picker macro that allows almost anyone who can view wiki content to execute server-side code. This could easily lead to full server compromise. Luckily, this bug was fixed quickly. If you haven't updated your XWiki instance, now's the time—either update, apply the patch, or import the fixed macro document.
Don’t wait—patch your systems today!
If you found this article helpful or have questions about patching, let us know in the comments below! Stay safe and keep your XWiki secure.
Timeline
Published on: 11/23/2022 20:15:00 UTC
Last modified on: 11/30/2022 17:00:00 UTC