CVE-2022-36099: 
Java vulnerability analysis and mitigation

CVE-2022-36099 is a critical code injection vulnerability discovered in XWiki's platform-wiki-ui-mainwiki component. The vulnerability was disclosed on September 8, 2022, affecting XWiki versions from 5.3-milestone-2 onwards. This security flaw allows attackers with view access to inject arbitrary wiki syntax, including Groovy, Python, and Velocity script macros through URL parameters in the XWikiServerClassSheet (GitHub Advisory).

The vulnerability stems from improper neutralization of directives in dynamically evaluated code, classified as CWE-95. It received a CVSS v3.1 score of 10.0 (Critical) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The exploit can be triggered by manipulating URL parameters in the XWikiServerClassSheet, specifically through the 'domain' parameter that wasn't properly escaped (GitHub Advisory).

The vulnerability allows arbitrary Groovy/Python/Velocity code execution, enabling attackers to bypass all rights checks, potentially leading to both modification and disclosure of all content stored in the XWiki installation. Additionally, the exploit could be used to impact the overall availability of the wiki system (GitHub Advisory).

The vulnerability has been patched in XWiki versions 13.10.6 and 14.4. For earlier versions, a workaround involves manually editing the affected document XWiki.XWikiServerClassSheet or WikiManager.XWikiServerClassSheet to implement proper escaping of the domain parameter. For versions 12.0 and later, administrators can import the fixed XWiki.XWikiServerClassSheet from the xwiki-platform-wiki-ui-mainwiki package version 14.4 (GitHub Advisory).