CVE-2023-35166
Published: 20 June 2023
Summary
CVE-2023-35166 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform, a generic wiki runtime, contains an authorization flaw that permits any user able to register a tip UI extension to execute arbitrary wiki content under the identity of the TipsPanel author. The issue stems from missing permission checks when processing such extensions and is tracked as CWE-863. It affects all releases prior to the fixes issued in XWiki 15.1-rc-1 and 14.10.5.
An authenticated attacker with low privileges can therefore obtain full read, write, and administrative control over the affected wiki instance, including the ability to modify pages, escalate rights, and access restricted content across scopes. The CVSS 9.9 rating reflects the combination of network attack vector, low complexity, and changed scope that leads to complete confidentiality, integrity, and availability impact.
Public advisories published with the GitHub Security Advisory GHSA-h7cw-44vp-jq7h and the corresponding XWiki Jira ticket XWIKI-20281 describe the vulnerability and point to the corrective commit that restores proper authorization checks on tip UI extensions. Administrators are advised to upgrade to one of the patched versions.
EPSS scores for the CVE rose from lower values after disclosure to a recorded peak of 0.3022 on 2025-12-11 before receding to the current 0.2440, indicating a later increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1816
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been…
more
patched in XWiki 15.1-rc-1 and 14.10.5.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Periodic review and update of procedures reduces incorrect authorization implementations over time.
Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.
Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.
The authorization process and usage restrictions help prevent incorrect authorization for remote access types.
Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.
Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.
Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.
Ensures authorization decisions for external system use are correctly implemented and enforced.