Cyber Resilience

CVE-2023-35166

CriticalPublic PoC

Published: 20 June 2023

Published
20 June 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.2440 96.2th percentile
Risk Priority 34 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-35166 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

XWiki Platform, a generic wiki runtime, contains an authorization flaw that permits any user able to register a tip UI extension to execute arbitrary wiki content under the identity of the TipsPanel author. The issue stems from missing permission checks when processing such extensions and is tracked as CWE-863. It affects all releases prior to the fixes issued in XWiki 15.1-rc-1 and 14.10.5.

An authenticated attacker with low privileges can therefore obtain full read, write, and administrative control over the affected wiki instance, including the ability to modify pages, escalate rights, and access restricted content across scopes. The CVSS 9.9 rating reflects the combination of network attack vector, low complexity, and changed scope that leads to complete confidentiality, integrity, and availability impact.

Public advisories published with the GitHub Security Advisory GHSA-h7cw-44vp-jq7h and the corresponding XWiki Jira ticket XWIKI-20281 describe the vulnerability and point to the corrective commit that restores proper authorization checks on tip UI extensions. Administrators are advised to upgrade to one of the patched versions.

EPSS scores for the CVE rose from lower values after disclosure to a recorded peak of 0.3022 on 2025-12-11 before receding to the current 0.2440, indicating a later increase in observed exploitation interest.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been…

more

patched in XWiki 15.1-rc-1 and 14.10.5.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

xwiki
xwiki
8.1 — 14.10.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

addresses: CWE-863

Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments.

addresses: CWE-863

Ensures authorization decisions for external system use are correctly implemented and enforced.

References