Main Vulnerability Database Vulnerabilities #VU129913

Eval Injection in XWiki platform - CVE-2023-46731

Published: November 6, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129913

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2023-46731

CWE-ID: CWE-95

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the Administration section display code in XWiki.AdminSheet when processing the section URL parameter. A remote attacker can send a specially crafted request to execute arbitrary code.

By default, the issue is reachable by anyone with read access to XWiki.AdminSheet, including unauthenticated users.

Remediation

Install security update from vendor's website.

Eval Injection in XWiki platform - CVE-2023-46731

Description

Remediation

External links

Please verify you're human