Code Injection in XWiki platform - CVE-2023-45135

 

Code Injection in XWiki platform - CVE-2023-45135

Published: October 25, 2023 / Updated: May 5, 2026


Vulnerability identifier: #VU129918
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-45135
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: XWiki
Affected software:
XWiki platform

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of script in the page creation action when processing a user-supplied title parameter during page creation. A remote user can send a crafted link and trick the victim into clicking the "Create" button to execute arbitrary code.

User interaction is required, and the impact depends on the rights of the victim, including script execution with script right or full instance access with programming right.


How to mitigate CVE-2023-45135

Install security update from vendor's website.

Sources