Cyber Resilience

CVE-2023-29521

HighPublic PoC

Published: 19 April 2023

Published
19 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.1493 94.7th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29521 is a high-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.4 (High).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki platform for building applications, contains an improper escaping flaw in the Macro.VFSTreeMacro component. This allows any user with view rights to execute arbitrary Groovy, Python, or Velocity code, granting full access to the XWiki installation. The macro is not present by default, and the issue is tracked under CWE-74 with a CVSS score of 8.4.

An attacker with view rights on an affected instance can leverage the macro to run code that bypasses intended restrictions, achieving complete control over the server environment. Exploitation requires network access but no user interaction beyond the granted view permission, and the attack surface is limited to deployments where the macro has been manually added.

Official advisories from the XWiki project and the associated GitHub security notice direct users to upgrade to versions 15.0-rc-1, 14.10.2, 14.4.8, or 13.10.11, where the escaping issue has been corrected. No workarounds are documented.

The EPSS score remains flat at 0.1493 with no material increase after disclosure, and no public reports of active exploitation have been noted in the provided references.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation.…

more

The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default.This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 13.10.11 · 14.0 — 14.4.8 · 14.5 — 14.10.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References