Cyber Resilience

CVE-2023-29525

CriticalPublic PoC

Published: 19 April 2023

Published
19 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5426 98.1th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29525 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 1.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform versions prior to the listed patches are affected by an XWiki syntax injection vulnerability in the since parameter of the LegacyNotificationAdministration endpoint at /xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration. The flaw permits an attacker to supply unescaped XWiki syntax that is evaluated at runtime, resulting in arbitrary code execution once elevated privileges are obtained.

An authenticated user holding only view rights can exploit the injection to escalate directly to programming rights and achieve remote code execution on the server. The attack requires no user interaction and can be performed over the network with low complexity, consistent with the CVSS 9.9 rating and CWE-74 classification.

Official advisories and patches recommend immediate upgrade to XWiki 15.0-rc-1, 14.10.3, or 14.4.8. Administrators unable to upgrade can apply the supplied workarounds by editing the LegacyNotificationAdministration page to introduce proper escaping or, for releases older than 14.6-rc-1, by modifying the distribution/eventmigration.wiki template file.

The EPSS score has remained flat at its peak value of 0.5426 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the `since` parameter of the `/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration` endpoint. This provides an XWiki syntax injection…

more

attack via the since-parameter, allowing privilege escalation from view to programming rights and subsequent code execution privilege. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8 and 14.10.3. Users are advised to upgrade. Users unable to upgrade may modify the page `XWiki.Notifications.Code.LegacyNotificationAdministration` to add the missing escaping. For versions < 14.6-rc-1 a workaround is to modify the file `<xwikiwebapp>/templates/distribution/eventmigration.wiki` to add the missing escaping.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
≤ 14.4.8 · 14.5 — 14.10.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References