Cyber Resilience

CVE-2023-29210

CriticalPublic PoCRCE

Published: 15 April 2023

Published
15 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0647 91.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29210 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Commons, the shared technical libraries used across multiple XWiki projects, contain a code-injection vulnerability in the notification preferences macros. Any user able to view commonly accessible documents can supply a crafted user parameter that is not properly escaped, allowing execution of arbitrary Groovy, Python, or Velocity code and resulting in full control of the XWiki installation. The affected macros are present by default in user-profile pages. The flaw is tracked as CWE-95 and CWE-94 and carries a CVSS 3.1 score of 9.9.

An attacker with only view rights on accessible documents can therefore achieve remote code execution without user interaction, bypassing intended access controls and obtaining complete administrative access to the wiki instance.

The vulnerability was addressed in the releases XWiki 13.10.11, 14.4.7, and 14.10; the corresponding commits and security advisory are published in the XWiki GitHub repository and Jira tracker.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0821, indicating measurable post-disclosure exploitation interest that warrants renewed attention even though current probability has moderated to 0.0647.

EU & UK References

Vulnerability details

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full…

more

access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
14.10 · ≤ 13.10.11 · 14.4.0 — 14.4.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References