CVE-2022-36100 is a code injection vulnerability affecting the XWiki Platform, specifically in the Applications Tag and Tag UI components. These components manage tags within the XWiki platform, a widely used generic wiki system. The vulnerability arises from improper sanitization of user inputs in the tags document `Main.Tags`. This flaw allows users with view rights—which are often granted by default in public wikis or to authenticated users in private wikis—to inject and execute arbitrary code in Groovy, Python, and Velocity scripting languages. The execution occurs with programming rights, which are highly privileged, enabling attackers to bypass all access controls. Consequently, an attacker can modify or disclose any content stored within the XWiki installation, severely compromising confidentiality and integrity. Additionally, the vulnerability can be leveraged to disrupt the availability of the wiki service. On versions prior to 13.10.4 and 14.2, this vulnerability can be combined with CVE-2022-36092 to allow exploitation without any rights, further increasing risk. The issue affects XWiki versions from 1.7 up to but not including 13.10.6, and versions 14.0 up to but not including 14.4. The vulnerability has been patched in versions 13.10.6 and 14.4. Workarounds include manually applying the patch to the `Main.Tags` document or importing the updated document from version 14.4 using the administration UI on XWiki 10.9 and later. There are no known exploits in the wild at this time. The vulnerability is classified under CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code) and CWE-94 (Improper Control of Generation of Code), indicating a critical failure in input validation and code execution control mechanisms.

For European organizations using XWiki as a collaboration or knowledge management platform, this vulnerability poses significant risks. The ability for users with minimal permissions to execute arbitrary code with elevated privileges can lead to full compromise of the wiki environment. This includes unauthorized disclosure of sensitive corporate or personal data, unauthorized modification or deletion of critical documentation, and potential disruption of business operations relying on the wiki. Since XWiki is often used in public and private enterprise environments, the impact extends to intellectual property theft, regulatory compliance violations (e.g., GDPR), and reputational damage. The possibility of combining this vulnerability with another (CVE-2022-36092) to achieve exploitation without any authentication further exacerbates the threat, especially for publicly accessible wikis. The availability impact could disrupt internal communications and knowledge sharing, affecting productivity and incident response capabilities. Given the nature of the vulnerability, attackers could also use the compromised wiki as a pivot point to launch further attacks within the network.

1. Immediate upgrade to XWiki Platform versions 13.10.6 or 14.4 or later where the vulnerability is patched. 2. If immediate upgrade is not feasible, manually apply the patch to the `Main.Tags` document as provided by the vendor or import the updated document from version 14.4 using the administration UI on versions 10.9 and later. 3. Restrict view rights on the `Main.Tags` document and related tag components to trusted users only, reducing the attack surface. 4. Implement strict network segmentation and access controls to limit exposure of the XWiki platform to untrusted networks and users. 5. Monitor logs for unusual scripting activity or unauthorized access attempts within the wiki environment. 6. Conduct a thorough audit of user permissions to ensure the principle of least privilege is enforced, especially regarding programming rights. 7. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious code injection attempts targeting the wiki. 8. Educate administrators and users about the risks of code injection vulnerabilities and the importance of promptly applying security updates.