CVE-2022-36100: 
Java vulnerability analysis and mitigation

A critical security vulnerability (CVE-2022-36100) was discovered in XWiki Platform Tag UI affecting versions prior to 13.10.6 and 14.4. The vulnerability existed in the tags document 'Main.Tags' where user inputs were not properly sanitized, allowing users with view rights to execute arbitrary code (GitHub Advisory).

The vulnerability is classified as an Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection) with a CVSS v3.1 score of 10.0 (Critical). The attack vector is network-based, with low attack complexity and requiring low privileges. The vulnerability allows for scope change and has high impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability allows users with view rights (default in public wikis or authenticated users in private wikis) to execute arbitrary Groovy, Python, and Velocity code with programming rights. This enables bypassing all rights checks, allowing both modification and disclosure of all content stored in the XWiki installation. Additionally, it could impact the wiki's availability (GitHub Advisory).

The vulnerability has been patched in versions 13.10.6 and 14.4. For earlier versions, users can manually apply the patch to the Main.Tags document or import the updated version of that document from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later (GitHub Advisory).