CVE-2023-29521
Published: 19 April 2023
Summary
CVE-2023-29521 is a high-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.4 (High).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform, a generic wiki platform for building applications, contains an improper escaping flaw in the Macro.VFSTreeMacro component. This allows any user with view rights to execute arbitrary Groovy, Python, or Velocity code, granting full access to the XWiki installation. The macro is not present by default, and the issue is tracked under CWE-74 with a CVSS score of 8.4.
An attacker with view rights on an affected instance can leverage the macro to run code that bypasses intended restrictions, achieving complete control over the server environment. Exploitation requires network access but no user interaction beyond the granted view permission, and the attack surface is limited to deployments where the macro has been manually added.
Official advisories from the XWiki project and the associated GitHub security notice direct users to upgrade to versions 15.0-rc-1, 14.10.2, 14.4.8, or 13.10.11, where the escaping issue has been corrected. No workarounds are documented.
The EPSS score remains flat at 0.1493 with no material increase after disclosure, and no public reports of active exploitation have been noted in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1363
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation.…
more
The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default.This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.