Cyber Resilience

CVE-2023-29507

Critical

Published: 16 April 2023

Published
16 April 2023
Modified
06 February 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0994 93.2th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29507 is a critical-severity Incorrect Use of Privileged APIs (CWE-648) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

XWiki Commons, the shared technical libraries used across multiple XWiki projects, contains a vulnerability in the Document script API. The API directly exposes a DocumentAuthors object that permits arbitrary author assignments on a document; because author identity is subsequently used for rights checks, this can enable unauthorized script execution. The flaw is tracked as CVE-2023-29507 with a CVSS 3.1 score of 9.1 and affects versions prior to the listed fixes.

An authenticated user with administrative rights can exploit the issue remotely by setting a privileged author on a document, thereby causing later script invocations to run with elevated privileges and potentially compromising confidentiality, integrity, and availability across the XWiki instance.

The vulnerability was addressed in XWiki 14.10 and 14.4.7 by modifying the API to return a safe wrapper instead of the raw DocumentAuthors object. Corresponding commits and the GitHub Security Advisory GHSA-pwfv-3cvg-9m4c document the change and recommend upgrading to a patched release.

The associated EPSS score has remained flat at 0.0994 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this…

more

author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
14.10 · 14.4.1 — 14.4.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References