Cyber Resilience

CVE-2023-29519

CriticalPublic PoC

Published: 19 April 2023

Published
19 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0474 89.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29519 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).

Operationally, ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki platform for building applications, contains an injection vulnerability tracked as CVE-2023-29519. A registered user can achieve remote code execution and subsequent privilege escalation by supplying crafted input in the property field of an attachment selector gadget placed on their personal dashboard. The flaw is categorized under CWE-74 and carries a CVSS 3.1 score of 9.0; it does not affect wiki comments.

An authenticated attacker with no other special privileges can exploit the issue over the network by creating or modifying a dashboard gadget, resulting in arbitrary code execution within the XWiki runtime and full compromise of the affected instance.

Official advisories and patches state that the vulnerability is resolved in XWiki 13.10.11, 14.4.8, 14.10.2, and 15.0-rc-1; administrators are advised to upgrade to one of these releases, as no workarounds are available.

EPSS for the CVE rose from lower values to a peak of 0.1610 before receding to the current 0.0474, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an…

more

attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 13.10.11 · 14.0 — 14.4.8 · 14.5 — 14.10.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References