CVE-2023-50723
Published: 15 December 2023
Summary
CVE-2023-50723 is a critical-severity Code Injection (CWE-94) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 9.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform, a generic wiki platform, contains a code injection vulnerability in versions from 2.3 up to but not including 14.10.15, 15.5.2, and 15.7-rc-1. The flaw stems from missing output escaping when rendering administration interface sections in the XWiki.ConfigurableClassMacros and XWiki.ConfigurableClass components, allowing an attacker to obtain programming rights. The issue is tracked under CWE-94 and CWE-95 and carries a CVSS score of 9.9.
Any user able to edit wiki pages, including their own user profile page, can exploit the missing escaping to inject and execute arbitrary code. Successful exploitation grants full programming rights, enabling an attacker to compromise the confidentiality, integrity, and availability of the entire XWiki installation.
The official XWiki security advisory and associated patches state that the vulnerability is resolved in releases 14.10.15, 15.5.2, and 15.7RC1. Administrators are advised to upgrade or manually apply the provided patches to the two affected pages referenced in the GitHub commits.
The EPSS score remains flat at 0.0539 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-3271
Vulnerability details
XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping…
more
in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the `XWiki.ConfigurableClassMacros` and `XWiki.ConfigurableClass` pages.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.