CVE-2022-41928: 
Java vulnerability analysis and mitigation

XWiki Platform was found vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The vulnerability was discovered in September 2022 and affects versions from 5.0-milestone-1. The issue was patched in versions 13.10.7, 14.4.2, and 14.5. The vulnerability allows users with view rights on commonly accessible documents including the attachment selector macro to execute arbitrary code (GitHub Advisory).

The vulnerability exists in the AttachmentSelector.xml component where dangerous payloads can be inserted in the 'height' or 'alt' macro properties. The issue received a CVSS v3.1 score of 10.0 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating network attack vector, low complexity, low privileges required, no user interaction needed, and high impact on confidentiality, integrity and availability (GitHub Advisory).

The vulnerability allows any user with view rights to execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the attachment selector macro. This could lead to privilege escalation from simple user rights to programming rights (GitHub Advisory, XWIKI Jira).

The issue has been patched in versions 13.10.7, 14.4.2, and 14.5. Users can fix the vulnerability on a running wiki by updating XWiki.AttachmentSelector with the patched versions. No other workarounds are known (GitHub Advisory).