CVE-2023-29516
Published: 19 April 2023
Summary
CVE-2023-29516 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 3.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform, a generic wiki platform, contains an injection vulnerability in the default XWiki.AttachmentSelector page. Any user granted view rights on that page can trigger arbitrary Groovy, Python, or Velocity code execution because the "Cancel and return to page" button fails to escape user-controlled input, resulting in full administrative access to the XWiki installation. The issue is tracked as CWE-74 and carries a CVSS 3.1 score of 9.9.
An attacker with only view privileges on the affected page can exploit the flaw remotely without user interaction, achieving code execution that spans the entire XWiki instance due to the platform's script service permissions. This grants the ability to read, modify, or delete any content and configuration, effectively compromising the confidentiality, integrity, and availability of the wiki deployment.
Official advisories and patches state that the vulnerability is resolved in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11; no workarounds are available, so administrators are advised to upgrade to one of the fixed releases. The referenced GitHub security advisory and commit provide the precise code change that restores proper escaping.
EPSS for this CVE rose from a low baseline to a peak of 0.3196 (current value 0.2689), indicating that exploitation interest increased after public disclosure and that the issue merits renewed attention from defenders.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1172
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the…
more
XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.