CVE-2023-29507
Published: 16 April 2023
Summary
CVE-2023-29507 is a critical-severity Incorrect Use of Privileged APIs (CWE-648) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.1 (Critical).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Commons, the shared technical libraries used across multiple XWiki projects, contains a vulnerability in the Document script API. The API directly exposes a DocumentAuthors object that permits arbitrary author assignments on a document; because author identity is subsequently used for rights checks, this can enable unauthorized script execution. The flaw is tracked as CVE-2023-29507 with a CVSS 3.1 score of 9.1 and affects versions prior to the listed fixes.
An authenticated user with administrative rights can exploit the issue remotely by setting a privileged author on a document, thereby causing later script invocations to run with elevated privileges and potentially compromising confidentiality, integrity, and availability across the XWiki instance.
The vulnerability was addressed in XWiki 14.10 and 14.4.7 by modifying the API to return a safe wrapper instead of the raw DocumentAuthors object. Corresponding commits and the GitHub Security Advisory GHSA-pwfv-3cvg-9m4c document the change and recommend upgrading to a patched release.
The associated EPSS score has remained flat at 0.0994 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1368
Vulnerability details
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this…
more
author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.