CVE-2023-29523
Published: 19 April 2023
Summary
CVE-2023-29523 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform contains an improper neutralization of special elements in output used by a downstream component vulnerability that permits script macro execution. Any user able to edit their own profile can invoke arbitrary Groovy or Python macros through the profile page or via the display method on documents, including those generated by the App Within Minutes application. The flaw affects all versions prior to the listed patches and carries a CVSS 3.1 score of 9.9 with network attack vector and low complexity.
An authenticated attacker with only profile-edit rights can achieve remote code execution, obtaining unrestricted read and write access to all wiki contents and potentially pivoting to the underlying host. The same vector can be triggered indirectly when application pages render user-controlled fields containing wiki syntax, expanding the attack surface beyond direct profile modification.
Official advisories and the XWiki security notice state there is no workaround and direct operators to upgrade to 13.10.11, 14.4.8, 14.10.2, or 15.0RC1. The referenced GitHub advisory and commit confirm the root cause was insufficient escaping of macro content in user-editable fields and document display routines.
EPSS rose from lower values to a peak of 0.1505 before settling at the current 0.1058, indicating measurable post-disclosure exploitation interest that warrants renewed attention for unpatched instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1421
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code…
more
execution including unrestricted read and write access to all wiki contents. The same vulnerability can also be exploited in other contexts where the `display` method on a document is used to display a field with wiki syntax, for example in applications created using `App Within Minutes`. This has been patched in XWiki 13.10.11, 14.4.8, 14.10.2 and 15.0RC1. There is no workaround apart from upgrading.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.