Cyber Resilience

CVE-2023-29523

CriticalPublic PoC

Published: 19 April 2023

Published
19 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.1058 93.4th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29523 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform contains an improper neutralization of special elements in output used by a downstream component vulnerability that permits script macro execution. Any user able to edit their own profile can invoke arbitrary Groovy or Python macros through the profile page or via the display method on documents, including those generated by the App Within Minutes application. The flaw affects all versions prior to the listed patches and carries a CVSS 3.1 score of 9.9 with network attack vector and low complexity.

An authenticated attacker with only profile-edit rights can achieve remote code execution, obtaining unrestricted read and write access to all wiki contents and potentially pivoting to the underlying host. The same vector can be triggered indirectly when application pages render user-controlled fields containing wiki syntax, expanding the attack surface beyond direct profile modification.

Official advisories and the XWiki security notice state there is no workaround and direct operators to upgrade to 13.10.11, 14.4.8, 14.10.2, or 15.0RC1. The referenced GitHub advisory and commit confirm the root cause was insufficient escaping of macro content in user-editable fields and document display routines.

EPSS rose from lower values to a peak of 0.1505 before settling at the current 0.1058, indicating measurable post-disclosure exploitation interest that warrants renewed attention for unpatched instances.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code…

more

execution including unrestricted read and write access to all wiki contents. The same vulnerability can also be exploited in other contexts where the `display` method on a document is used to display a field with wiki syntax, for example in applications created using `App Within Minutes`. This has been patched in XWiki 13.10.11, 14.4.8, 14.10.2 and 15.0RC1. There is no workaround apart from upgrading.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 13.10.11 · 14.0 — 14.4.8 · 14.5 — 14.10.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References