CVE-2022-41931: 
Java vulnerability analysis and mitigation

xwiki-platform-icon-ui was found to be vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). The vulnerability, identified as CVE-2022-41931, was discovered in versions from 6.4-milestone-2 onwards and affects any user with view rights on commonly accessible documents including the icon picker macro. The vulnerability allows execution of arbitrary Groovy, Python, or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro (GitHub Advisory).

The vulnerability stems from improper parameter escaping in IconPickerMacro, specifically in the handling of macro parameters. The issue allows attackers to inject and execute arbitrary code through the 'id' and 'class' parameters of the icon picker macro. The vulnerability has been assigned a Critical severity with a CVSS v3.1 score of 10.0, indicating the highest level of severity. The attack vector is Network-based, with low attack complexity and requiring low privileges (GitHub Advisory).

The vulnerability allows attackers with view rights to execute arbitrary Groovy, Python, or Velocity code in XWiki, effectively enabling a privilege escalation from basic view rights to programming rights. This could potentially lead to unauthorized access to sensitive data, system manipulation, and compromise of the XWiki platform's integrity (GitHub Advisory, XWIKI Jira).

The vulnerability has been patched in XWiki versions 13.10.7, 14.4.2, and 14.5. For users unable to update immediately, two workarounds are available: manually applying the patch by editing IconThemesCode.IconPickerMacro in the object editor, or replacing the whole document by importing it from the XAR archive of a fixed version (GitHub Advisory).