CVE-2022-41928

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.10.7 XWiki Platform versions prior to 14.4.2 XWiki Platform versions prior to 14.5

Description The issue is related to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. This can be exploited by inserting a dangerous payload in the height or alt macro properties. Any user with the right to edit their personal page can follow specific scenarios to reproduce the issue. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 13.10.7, update to version 13.10.7 or later. For versions prior to 14.4.2, update to version 14.4.2 or later. For versions prior to 14.5, update to version 14.5 or later. As a temporary workaround, consider disabling the attachmentSelector macro until a patch is available. Restrict access to the XWiki.AttachmentSelector module to minimize the risk of exploitation. Avoid using the height and alt macro properties in the affected API endpoint until the issue is resolved.