CVE-2023-29524
Published: 19 April 2023
Summary
CVE-2023-29524 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform, a generic wiki platform, contains an injection vulnerability tracked as CVE-2023-29524 that permits arbitrary code execution under the privileges of the Scheduler Application sheet. The flaw stems from insufficient restrictions on the XWiki.SchedulerJobClass object type, allowing Groovy scripts placed in the Job Script field to run in the server context when the profile page is viewed.
An authenticated user without script or programming rights can exploit the issue by editing their own user profile through the object editor, inserting a malicious SchedulerJobClass instance. Successful exploitation grants the attacker the ability to execute arbitrary code on the server, resulting in full confidentiality, integrity, and availability impact as reflected in the CVSS 9.9 score.
Advisories published by the XWiki project, including GHSA-fc42-5w56-qw7h and the linked Jira issues, state that the vulnerability has been fixed in versions 14.10.3 and 15.0 RC1; administrators are advised to upgrade, and the project reports no known workarounds.
The EPSS score has remained steady at its peak value of 0.4773 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1286
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your…
more
user profile with the object editor and add a new object of type XWiki.SchedulerJobClass, In "Job Script", groovy code can be added and will be executed in the server context on viewing. This has been patched in XWiki 14.10.3 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.