CVE-2023-29210
Published: 15 April 2023
Summary
CVE-2023-29210 is a critical-severity Eval Injection (CWE-95) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Commons, the shared technical libraries used across multiple XWiki projects, contain a code-injection vulnerability in the notification preferences macros. Any user able to view commonly accessible documents can supply a crafted user parameter that is not properly escaped, allowing execution of arbitrary Groovy, Python, or Velocity code and resulting in full control of the XWiki installation. The affected macros are present by default in user-profile pages. The flaw is tracked as CWE-95 and CWE-94 and carries a CVSS 3.1 score of 9.9.
An attacker with only view rights on accessible documents can therefore achieve remote code execution without user interaction, bypassing intended access controls and obtaining complete administrative access to the wiki instance.
The vulnerability was addressed in the releases XWiki 13.10.11, 14.4.7, and 14.10; the corresponding commits and security advisory are published in the XWiki GitHub repository and Jira tracker.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0821, indicating measurable post-disclosure exploitation interest that warrants renewed attention even though current probability has moderated to 0.0647.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1364
Vulnerability details
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full…
more
access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.