CVE-2023-46243
Published: 07 November 2023
Summary
CVE-2023-46243 is a critical-severity Code Injection (CWE-94) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform, a generic wiki platform, contains an improper control of generation of code vulnerability (CWE-94) that permits a user with edit rights on a document to execute arbitrary content under the privileges of that document's content author. The flaw is triggered by supplying a specially crafted URL to the edit endpoint that injects executable Groovy script, such as the example containing {{groovy}}println("Hello from Groovy!"){{/groovy}}, which is then rendered when the page is viewed.
An authenticated attacker who possesses edit access to any existing document can therefore achieve remote code execution on the server, resulting in full confidentiality, integrity, and availability impact across the XWiki instance as reflected by the CVSS 9.9 score.
Official advisories and the linked GitHub security notice state that the issue is resolved in XWiki 14.10.6 and 15.2RC1; administrators are advised to upgrade, and the project reports no known workarounds.
The associated EPSS score has remained flat at 0.0748 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2962
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the…
more
user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are advised to update. There are no known workarounds for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.