Cyber Resilience

CVE-2023-29516

CriticalPublic PoC

Published: 19 April 2023

Published
19 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.2689 96.5th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29516 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki platform, contains an injection vulnerability in the default XWiki.AttachmentSelector page. Any user granted view rights on that page can trigger arbitrary Groovy, Python, or Velocity code execution because the "Cancel and return to page" button fails to escape user-controlled input, resulting in full administrative access to the XWiki installation. The issue is tracked as CWE-74 and carries a CVSS 3.1 score of 9.9.

An attacker with only view privileges on the affected page can exploit the flaw remotely without user interaction, achieving code execution that spans the entire XWiki instance due to the platform's script service permissions. This grants the ability to read, modify, or delete any content and configuration, effectively compromising the confidentiality, integrity, and availability of the wiki deployment.

Official advisories and patches state that the vulnerability is resolved in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11; no workarounds are available, so administrators are advised to upgrade to one of the fixed releases. The referenced GitHub security advisory and commit provide the precise code change that restores proper escaping.

EPSS for this CVE rose from a low baseline to a peak of 0.3196 (current value 0.2689), indicating that exploitation interest increased after public disclosure and that the issue merits renewed attention from defenders.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the…

more

XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 13.10.11 · 14.0 — 14.4.8 · 14.5 — 14.10.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References