CVE-2023-29204
Published: 15 April 2023
Summary
CVE-2023-29204 is a medium-severity Open Redirect (CWE-601) vulnerability in Xwiki Xwiki. Its CVSS base score is 4.7 (Medium).
Operationally, ranked in the top 22.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Commons, the shared technical libraries used across multiple XWiki projects, contain an open redirect flaw tracked as CVE-2023-29204. The code intended to block external redirects could be bypassed by supplying protocol-relative URLs such as //mydomain.com or malformed single-slash variants such as http:/mydomain.com, allowing an attacker-controlled destination to be reached.
An unauthenticated remote attacker can craft a malicious link that, once clicked by a victim, redirects the user’s browser to an arbitrary external site. Because the CVSS vector includes user interaction and changed scope, the primary impact is a low-severity confidentiality exposure that can facilitate phishing or further social-engineering attacks.
The project addressed the issue in the releases 13.10.10, 14.4.4, and 14.8RC1; the corresponding commits and the GitHub Security Advisory GHSA-xwph-x6xj-wggv document the fix and recommend upgrading to a patched version.
EPSS for the CVE rose from a low baseline to a peak of 0.0983 on 2025-12-11 before receding to the current value of 0.0102, indicating a measurable increase in exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1434
Vulnerability details
XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`).…
more
It was also possible to bypass it when using URL such as `http:/mydomain.com`. The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.