Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki does not properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document XWiki.AdminSheet (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki …