Cyber Resilience

CVE-2023-29522

CriticalPublic PoC

Published: 19 April 2023

Published
19 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.3649 97.2th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29522 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki platform that provides runtime services for applications, contains an injection vulnerability tracked as CVE-2023-29522. Any user with view rights can execute arbitrary script macros, including Groovy and Python macros, by accessing a non-existent page whose name has been crafted to contain a malicious payload. The flaw permits remote code execution with unrestricted read and write access to all wiki contents and is assigned CWE-74 and a CVSS score of 9.9.

An authenticated attacker with only view permissions can trigger the issue remotely without user interaction, achieving full compromise of the wiki instance through script execution. The attack requires no special privileges beyond standard view rights and works by forcing evaluation of the injected payload during page resolution.

Official advisories and patches state that the vulnerability has been fixed in XWiki 14.4.8, 14.10.3, and 15.0RC1, and administrators are advised to upgrade immediately; no workarounds are available. The associated GitHub security advisory and XWiki Jira entry provide the commit details and upgrade guidance.

The EPSS score remains flat at 0.3649 with no material increase after disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read…

more

and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. This issue has been patched in XWiki 14.4.8, 14.10.3 and 15.0RC1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 14.4.8 · 14.5 — 14.10.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References