CVE-2023-29214

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki 14.4.7, and 14.10.

Published: Apr 16, 2023
Updated: May 10, 2024
CVE: CVE-2023-29214
GHSA: GHSA-qx9h-c5v6-ghqh
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-94
CWE-95

Affected Software
References

Software	From	Fixed in
org.xwiki.platform / xwiki-platform-panels-ui	1.1-M2	13.10.11
org.xwiki.platform / xwiki-platform-panels-ui	14.0-rc-1	14.4.7
org.xwiki.platform / xwiki-platform-panels-ui	14.5	14.10
xwiki / xwiki	14.4.0	14.4.7
xwiki / xwiki	-	13.10.11
xwiki / xwiki	14.10-rc1	14.10-rc1.x

https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh
https://jira.xwiki.org/browse/XWIKI-20306

Vulnerability Database

CVE-2023-29214

Deep Security Visibility Without the Complexity