CVE-2023-29525
Published: 19 April 2023
Summary
CVE-2023-29525 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform versions prior to the listed patches are affected by an XWiki syntax injection vulnerability in the since parameter of the LegacyNotificationAdministration endpoint at /xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration. The flaw permits an attacker to supply unescaped XWiki syntax that is evaluated at runtime, resulting in arbitrary code execution once elevated privileges are obtained.
An authenticated user holding only view rights can exploit the injection to escalate directly to programming rights and achieve remote code execution on the server. The attack requires no user interaction and can be performed over the network with low complexity, consistent with the CVSS 9.9 rating and CWE-74 classification.
Official advisories and patches recommend immediate upgrade to XWiki 15.0-rc-1, 14.10.3, or 14.4.8. Administrators unable to upgrade can apply the supplied workarounds by editing the LegacyNotificationAdministration page to introduce proper escaping or, for releases older than 14.6-rc-1, by modifying the distribution/eventmigration.wiki template file.
The EPSS score has remained flat at its peak value of 0.5426 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1337
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint. This provides an XWiki syntax injection…
more
attack via the since-parameter, allowing privilege escalation from view to programming rights and subsequent code execution privilege. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8 and 14.10.3. Users are advised to upgrade. Users unable to upgrade may modify the page `XWiki.Notifications.Code.LegacyNotificationAdministration` to add the missing escaping. For versions < 14.6-rc-1 a workaround is to modify the file `<xwikiwebapp>/templates/distribution/eventmigration.wiki` to add the missing escaping.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.