Vulnerability Database
296,772
Total vulnerabilities in the database
CVE-2022-41928
XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties. This has been patched in versions 13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
| Software | From | Fixed in |
|---|---|---|
| xwiki / xwiki | 14.0.0 | 14.4.2 |
| xwiki / xwiki | 5.0.x | 13.10.7 |
| xwiki / xwiki | 5.0-milestone1 | 5.0-milestone1.x |
| xwiki / xwiki | 5.0-milestone2 | 5.0-milestone2.x |
| xwiki / xwiki | 14.4.3 | 14.4.3.x |
| xwiki / xwiki | 14.4.4 | 14.4.4.x |
org.xwiki.platform / xwiki-platform-attachment-ui
|
5.0-milestone-1 | 13.10.7 |
|
org.xwiki.platform / xwiki-platform-attachment-ui
|
14.0.0 | 14.4.2 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime